startssl at boot time

RYAN vAN GINNEKEN rmvg at shaw.ca
Thu Apr 8 02:58:47 PDT 2004 

THANKS but i already have that line in my rc.conf file and the log 
entries that i have submitted to this list are not from a reboot but 
rather apachectl stop and start or startssl.  So when i run a startssl i 
get the randomness i need however when i just use apachectl start which 
is 99.9% the same command it does not.  honestly i am stumped hope you 
have some more wisdom to share.  There is also the line about ssl cache 
i have do some googleing but have not been able to come up with anything 
that helps.

Matthew Seaman wrote:

>On Wed, Apr 07, 2004 at 03:39:42PM -0600, RYAN vAN GINNEKEN wrote:
>
>  
>
>>Seems to initialize ssl but my ssl page still does not work however my
>>regular page does work.  Here is a print out of the log file when i do
>>an apachectl stop and apachectl startssl.  when i use startssl
>>everything work great including my ssl page.
>>    
>>
>
>  
>
>>[Wed Apr 07 13:20:08 2004] [info] Init: Seeding PRNG with 0 bytes of entropy
>>[Wed Apr 07 13:20:08 2004] [warn] Init: Session Cache is not configured
>>[hint: SSLSess
>>    
>>
>
>The fact that you can do an apachectl startssl and have everything
>work as desired means that you're 99.99% of the way to gettting it all
>to work.  The modification to the apache2.sh script I sent you last
>time sould force that script to always run 'apachectl startssl'
>itself, so that shouldn't be the problem.
>
>Hmmm... I think that perhaps the problem arises from when the
>apache2.sh script is run.  I'm guessing that the 'Seeding PRNG' line
>is significant -- it aparently means that there is no random data yet
>available from /dev/random at the point when apache is started up in
>the boot sequence.  As you're running 4.9, that can be cured by
>telling the system to use some appropriate IRQs as sources of
>randomness.  First run:
>
>    % vmstat -i
>
>and look for the IRQs where there are a lot of interrupts generated.
>Not the 'clk' or 'rtc' interrupts, as those are clock ticks, firing at
>regular intervals, which is worse than useless as a source of
>randomness.  I find that irq12 (psm0 -- the mouse), irq1 (atkbd0 --
>the keyboard), irq11 (mux -- multiplex: but this is network activity
>mostly) and irq15 (mux -- multiplex again, but disk activity mostly)
>work well for me, but you will have to choose 2 or 3 or 4 suitable
>IRQs on your own system to harvest for randomness.
>
>Then add them to /etc/rc.conf
>
>    rand_irqs="1 11 12 15"
>
>Then reboot.  (See rndcontrol(8) for more details)
>
>With luck, and a following wind, there will be sufficient system
>activity during startup that there will be sufficient random data
>available to prime the PRNG used by OpenSSL, which should let apache
>start up automatically.
>
>	Cheers,
>
>	Matthew
>
>  
>

More information about the freebsd-questions mailing list