From owner-freebsd-questions@FreeBSD.ORG  Wed Apr  7 15:27:50 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A2EDA16A4CE
	for <freebsd-questions@freebsd.org>;
	Wed,  7 Apr 2004 15:27:50 -0700 (PDT)
Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk
	[81.2.69.218])	by mx1.FreeBSD.org (Postfix) with ESMTP id 091AD43D1F
	for <freebsd-questions@freebsd.org>;
	Wed,  7 Apr 2004 15:27:49 -0700 (PDT)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk
	(localhost.infracaninophile.co.uk [IPv6:::1])i37MR22f066428
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Wed, 7 Apr 2004 23:27:02 +0100 (BST)
	(envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk)
Received: (from matthew@localhost)id i37MR2A8066423;
	Wed, 7 Apr 2004 23:27:02 +0100 (BST)	(envelope-from matthew)
Date: Wed, 7 Apr 2004 23:27:02 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
To: RYAN vAN GINNEKEN <rmvg@shaw.ca>
Message-ID: <20040407222702.GA66122@happy-idiot-talk.infracaninophile.co.uk>
Mail-Followup-To: Matthew Seaman <m.seaman@infracaninophile.co.uk>,
	RYAN vAN GINNEKEN <rmvg@shaw.ca>, freebsd-questions@freebsd.org
References: <406F324B.1050005@shaw.ca>
	<20040404112328.GB7849@happy-idiot-talk.infracaninophile.co.uk>
	<4072488A.7050200@shaw.ca>
	<20040406090720.GB17361@happy-idiot-talk.infracaninophile.co.uk>
	<4074751E.2070607@shaw.ca>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="EeQfGwPcQSOJBaQU"
Content-Disposition: inline
In-Reply-To: <4074751E.2070607@shaw.ca>
User-Agent: Mutt/1.5.6i
X-Spam-Status: No, hits=-4.8 required=5.0 tests=AWL,BAYES_00 autolearn=ham 
	version=2.63
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on 
	happy-idiot-talk.infracaninophile.co.uk
X-Virus-Scanned: clamd / ClamAV version devel-20040323, clamav-milter version
	0.70a
cc: freebsd-questions@freebsd.org
Subject: Re: startssl at boot time
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Apr 2004 22:27:50 -0000


--EeQfGwPcQSOJBaQU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Apr 07, 2004 at 03:39:42PM -0600, RYAN vAN GINNEKEN wrote:

> Seems to initialize ssl but my ssl page still does not work however my
> regular page does work.  Here is a print out of the log file when i do
> an apachectl stop and apachectl startssl.  when i use startssl
> everything work great including my ssl page.

> [Wed Apr 07 13:20:08 2004] [info] Init: Seeding PRNG with 0 bytes of entr=
opy
> [Wed Apr 07 13:20:08 2004] [warn] Init: Session Cache is not configured
> [hint: SSLSess

The fact that you can do an apachectl startssl and have everything
work as desired means that you're 99.99% of the way to gettting it all
to work.  The modification to the apache2.sh script I sent you last
time sould force that script to always run 'apachectl startssl'
itself, so that shouldn't be the problem.

Hmmm... I think that perhaps the problem arises from when the
apache2.sh script is run.  I'm guessing that the 'Seeding PRNG' line
is significant -- it aparently means that there is no random data yet
available from /dev/random at the point when apache is started up in
the boot sequence.  As you're running 4.9, that can be cured by
telling the system to use some appropriate IRQs as sources of
randomness.  First run:

    % vmstat -i

and look for the IRQs where there are a lot of interrupts generated.
Not the 'clk' or 'rtc' interrupts, as those are clock ticks, firing at
regular intervals, which is worse than useless as a source of
randomness.  I find that irq12 (psm0 -- the mouse), irq1 (atkbd0 --
the keyboard), irq11 (mux -- multiplex: but this is network activity
mostly) and irq15 (mux -- multiplex again, but disk activity mostly)
work well for me, but you will have to choose 2 or 3 or 4 suitable
IRQs on your own system to harvest for randomness.

Then add them to /etc/rc.conf

    rand_irqs=3D"1 11 12 15"

Then reboot.  (See rndcontrol(8) for more details)

With luck, and a following wind, there will be sufficient system
activity during startup that there will be sufficient random data
available to prime the PRNG used by OpenSSL, which should let apache
start up automatically.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

--EeQfGwPcQSOJBaQU
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFAdIA2dtESqEQa7a0RArraAJ9b/LskKrk2ygBX6j2GbzcXVYolkwCeIJtV
HnYGMHpW/iBoBamrwdm800s=
=OMUM
-----END PGP SIGNATURE-----

--EeQfGwPcQSOJBaQU--