startssl at boot time
RYAN vAN GINNEKEN
rmvg at shaw.ca
Thu Apr 8 02:58:47 PDT 2004
THANKS but i already have that line in my rc.conf file and the log
entries that i have submitted to this list are not from a reboot but
rather apachectl stop and start or startssl. So when i run a startssl i
get the randomness i need however when i just use apachectl start which
is 99.9% the same command it does not. honestly i am stumped hope you
have some more wisdom to share. There is also the line about ssl cache
i have do some googleing but have not been able to come up with anything
Matthew Seaman wrote:
>On Wed, Apr 07, 2004 at 03:39:42PM -0600, RYAN vAN GINNEKEN wrote:
>>Seems to initialize ssl but my ssl page still does not work however my
>>regular page does work. Here is a print out of the log file when i do
>>an apachectl stop and apachectl startssl. when i use startssl
>>everything work great including my ssl page.
>>[Wed Apr 07 13:20:08 2004] [info] Init: Seeding PRNG with 0 bytes of entropy
>>[Wed Apr 07 13:20:08 2004] [warn] Init: Session Cache is not configured
>The fact that you can do an apachectl startssl and have everything
>work as desired means that you're 99.99% of the way to gettting it all
>to work. The modification to the apache2.sh script I sent you last
>time sould force that script to always run 'apachectl startssl'
>itself, so that shouldn't be the problem.
>Hmmm... I think that perhaps the problem arises from when the
>apache2.sh script is run. I'm guessing that the 'Seeding PRNG' line
>is significant -- it aparently means that there is no random data yet
>available from /dev/random at the point when apache is started up in
>the boot sequence. As you're running 4.9, that can be cured by
>telling the system to use some appropriate IRQs as sources of
>randomness. First run:
> % vmstat -i
>and look for the IRQs where there are a lot of interrupts generated.
>Not the 'clk' or 'rtc' interrupts, as those are clock ticks, firing at
>regular intervals, which is worse than useless as a source of
>randomness. I find that irq12 (psm0 -- the mouse), irq1 (atkbd0 --
>the keyboard), irq11 (mux -- multiplex: but this is network activity
>mostly) and irq15 (mux -- multiplex again, but disk activity mostly)
>work well for me, but you will have to choose 2 or 3 or 4 suitable
>IRQs on your own system to harvest for randomness.
>Then add them to /etc/rc.conf
> rand_irqs="1 11 12 15"
>Then reboot. (See rndcontrol(8) for more details)
>With luck, and a following wind, there will be sufficient system
>activity during startup that there will be sufficient random data
>available to prime the PRNG used by OpenSSL, which should let apache
>start up automatically.
More information about the freebsd-questions