Date: Wed, 07 Apr 2004 16:58:24 -0600 From: RYAN vAN GINNEKEN <rmvg@shaw.ca> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: freebsd-questions@freebsd.org Subject: Re: startssl at boot time Message-ID: <40748790.9050206@shaw.ca> In-Reply-To: <20040407222702.GA66122@happy-idiot-talk.infracaninophile.co.uk> References: <406F324B.1050005@shaw.ca> <20040404112328.GB7849@happy-idiot-talk.infracaninophile.co.uk> <4072488A.7050200@shaw.ca> <20040406090720.GB17361@happy-idiot-talk.infracaninophile.co.uk> <4074751E.2070607@shaw.ca> <20040407222702.GA66122@happy-idiot-talk.infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
THANKS but i already have that line in my rc.conf file and the log entries that i have submitted to this list are not from a reboot but rather apachectl stop and start or startssl. So when i run a startssl i get the randomness i need however when i just use apachectl start which is 99.9% the same command it does not. honestly i am stumped hope you have some more wisdom to share. There is also the line about ssl cache i have do some googleing but have not been able to come up with anything that helps. Matthew Seaman wrote: >On Wed, Apr 07, 2004 at 03:39:42PM -0600, RYAN vAN GINNEKEN wrote: > > > >>Seems to initialize ssl but my ssl page still does not work however my >>regular page does work. Here is a print out of the log file when i do >>an apachectl stop and apachectl startssl. when i use startssl >>everything work great including my ssl page. >> >> > > > >>[Wed Apr 07 13:20:08 2004] [info] Init: Seeding PRNG with 0 bytes of entropy >>[Wed Apr 07 13:20:08 2004] [warn] Init: Session Cache is not configured >>[hint: SSLSess >> >> > >The fact that you can do an apachectl startssl and have everything >work as desired means that you're 99.99% of the way to gettting it all >to work. The modification to the apache2.sh script I sent you last >time sould force that script to always run 'apachectl startssl' >itself, so that shouldn't be the problem. > >Hmmm... I think that perhaps the problem arises from when the >apache2.sh script is run. I'm guessing that the 'Seeding PRNG' line >is significant -- it aparently means that there is no random data yet >available from /dev/random at the point when apache is started up in >the boot sequence. As you're running 4.9, that can be cured by >telling the system to use some appropriate IRQs as sources of >randomness. First run: > > % vmstat -i > >and look for the IRQs where there are a lot of interrupts generated. >Not the 'clk' or 'rtc' interrupts, as those are clock ticks, firing at >regular intervals, which is worse than useless as a source of >randomness. I find that irq12 (psm0 -- the mouse), irq1 (atkbd0 -- >the keyboard), irq11 (mux -- multiplex: but this is network activity >mostly) and irq15 (mux -- multiplex again, but disk activity mostly) >work well for me, but you will have to choose 2 or 3 or 4 suitable >IRQs on your own system to harvest for randomness. > >Then add them to /etc/rc.conf > > rand_irqs="1 11 12 15" > >Then reboot. (See rndcontrol(8) for more details) > >With luck, and a following wind, there will be sufficient system >activity during startup that there will be sufficient random data >available to prime the PRNG used by OpenSSL, which should let apache >start up automatically. > > Cheers, > > Matthew > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40748790.9050206>