Date: Wed, 7 Apr 2004 23:27:02 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: RYAN vAN GINNEKEN <rmvg@shaw.ca> Cc: freebsd-questions@freebsd.org Subject: Re: startssl at boot time Message-ID: <20040407222702.GA66122@happy-idiot-talk.infracaninophile.co.uk> In-Reply-To: <4074751E.2070607@shaw.ca> References: <406F324B.1050005@shaw.ca> <20040404112328.GB7849@happy-idiot-talk.infracaninophile.co.uk> <4072488A.7050200@shaw.ca> <20040406090720.GB17361@happy-idiot-talk.infracaninophile.co.uk> <4074751E.2070607@shaw.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
--EeQfGwPcQSOJBaQU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Apr 07, 2004 at 03:39:42PM -0600, RYAN vAN GINNEKEN wrote:
> Seems to initialize ssl but my ssl page still does not work however my
> regular page does work. Here is a print out of the log file when i do
> an apachectl stop and apachectl startssl. when i use startssl
> everything work great including my ssl page.
> [Wed Apr 07 13:20:08 2004] [info] Init: Seeding PRNG with 0 bytes of entr=
opy
> [Wed Apr 07 13:20:08 2004] [warn] Init: Session Cache is not configured
> [hint: SSLSess
The fact that you can do an apachectl startssl and have everything
work as desired means that you're 99.99% of the way to gettting it all
to work. The modification to the apache2.sh script I sent you last
time sould force that script to always run 'apachectl startssl'
itself, so that shouldn't be the problem.
Hmmm... I think that perhaps the problem arises from when the
apache2.sh script is run. I'm guessing that the 'Seeding PRNG' line
is significant -- it aparently means that there is no random data yet
available from /dev/random at the point when apache is started up in
the boot sequence. As you're running 4.9, that can be cured by
telling the system to use some appropriate IRQs as sources of
randomness. First run:
% vmstat -i
and look for the IRQs where there are a lot of interrupts generated.
Not the 'clk' or 'rtc' interrupts, as those are clock ticks, firing at
regular intervals, which is worse than useless as a source of
randomness. I find that irq12 (psm0 -- the mouse), irq1 (atkbd0 --
the keyboard), irq11 (mux -- multiplex: but this is network activity
mostly) and irq15 (mux -- multiplex again, but disk activity mostly)
work well for me, but you will have to choose 2 or 3 or 4 suitable
IRQs on your own system to harvest for randomness.
Then add them to /etc/rc.conf
rand_irqs=3D"1 11 12 15"
Then reboot. (See rndcontrol(8) for more details)
With luck, and a following wind, there will be sufficient system
activity during startup that there will be sufficient random data
available to prime the PRNG used by OpenSSL, which should let apache
start up automatically.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
--EeQfGwPcQSOJBaQU
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iD8DBQFAdIA2dtESqEQa7a0RArraAJ9b/LskKrk2ygBX6j2GbzcXVYolkwCeIJtV
HnYGMHpW/iBoBamrwdm800s=
=OMUM
-----END PGP SIGNATURE-----
--EeQfGwPcQSOJBaQU--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040407222702.GA66122>