startssl at boot time
Dirk-Willem van Gulik
dirkx at webweaving.org
Thu Apr 8 14:28:00 PDT 2004
On Apr 8, 2004, at 12:58 AM, RYAN vAN GINNEKEN wrote:
> THANKS but i already have that line in my rc.conf file and the log
> entries that i have submitted to this list are not from a reboot but
> rather apachectl stop and start or startssl. So when i run a startssl
> i get the randomness i need however when i just use apachectl start
> which is 99.9% the same command it does not. honestly i am stumped
> hope you have some more wisdom to share. There is also the line about
> ssl cache i have do some googleing but have not been able to come up
> with anything that helps.
The trouble you are having is not with the SSLCache (which you should
enable regardless, but for
different reasons). If you already do rand_irqs's in your rc.conf and
you safe/load the entropy over
boot time; then that is about the best you can do in assuring there is
'real' entropy in the /dev/random
sort of getting into special kernels and/or hardware.
So next step is to read the comments in the section 'Pseudo Random
Number Generator' and the
mod_ssl manual and deceide if in -your- case you can get away with less
randomness. In some
specific cases you can.
What is puzzling is that, assuming that the log file you are showing us
is complete, is that
you are -not- getting the fatal
error "Failed to generate temporary 512 bit RSA private key".
S o it may be worth to switch logging to 'debug' level and double check
something else (e.g. DNS timeout, lack of a ca-bundle/chain) is biting
you. There is a
very complete FAQ on ssl and apache in the apache bundle.
> Matthew Seaman wrote:
>> On Wed, Apr 07, 2004 at 03:39:42PM -0600, RYAN vAN GINNEKEN wrote:
>>> Seems to initialize ssl but my ssl page still does not work however
>>> regular page does work. Here is a print out of the log file when i
>>> an apachectl stop and apachectl startssl. when i use startssl
>>> everything work great including my ssl page.
>>> [Wed Apr 07 13:20:08 2004] [info] Init: Seeding PRNG with 0 bytes of
>>> [Wed Apr 07 13:20:08 2004] [warn] Init: Session Cache is not
>>> [hint: SSLSess
>> The fact that you can do an apachectl startssl and have everything
>> work as desired means that you're 99.99% of the way to gettting it all
>> to work. The modification to the apache2.sh script I sent you last
>> time sould force that script to always run 'apachectl startssl'
>> itself, so that shouldn't be the problem.
>> Hmmm... I think that perhaps the problem arises from when the
>> apache2.sh script is run. I'm guessing that the 'Seeding PRNG' line
>> is significant -- it aparently means that there is no random data yet
>> available from /dev/random at the point when apache is started up in
>> the boot sequence. As you're running 4.9, that can be cured by
>> telling the system to use some appropriate IRQs as sources of
>> randomness. First run:
>> % vmstat -i
>> and look for the IRQs where there are a lot of interrupts generated.
>> Not the 'clk' or 'rtc' interrupts, as those are clock ticks, firing at
>> regular intervals, which is worse than useless as a source of
>> randomness. I find that irq12 (psm0 -- the mouse), irq1 (atkbd0 --
>> the keyboard), irq11 (mux -- multiplex: but this is network activity
>> mostly) and irq15 (mux -- multiplex again, but disk activity mostly)
>> work well for me, but you will have to choose 2 or 3 or 4 suitable
>> IRQs on your own system to harvest for randomness.
>> Then add them to /etc/rc.conf
>> rand_irqs="1 11 12 15"
>> Then reboot. (See rndcontrol(8) for more details)
>> With luck, and a following wind, there will be sufficient system
>> activity during startup that there will be sufficient random data
>> available to prime the PRNG used by OpenSSL, which should let apache
>> start up automatically.
> freebsd-questions at freebsd.org mailing list
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions