DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25867>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25867 [patch] SSL random number seeding errors on startup Summary: [patch] SSL random number seeding errors on startup Product: Apache httpd-2.0 Version: 2.0.48 Platform: Sun OS/Version: Solaris Status: NEW Severity: Normal Priority: Other Component: mod_ssl AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] Installing httpd-2.0.48 on solaris, with SSL support (openSSL 0.9.7c) led me to the following error: [Fri Jan 02 10:18:39 2004] [warn] Init: PRNG still contains insufficient entropy! [Fri Jan 02 10:18:39 2004] [error] Init: Failed to generate temporary 512 bit RSA private key Configuration Failed The SSLRandomSeed directive was set to builtin though, which according to the docs should always be available. Trying values to point it at my egd socket also had no effect. A truss of the process showed it trying to open /dev/random, /dev/srandom, and /dev/urandom anyway. A pretty exhaustive search turned up lots of people with this problem, but no real definitive answers. Finally, I figured it out, and I'm guessing the situation is similar for a lot of people. I had just installed the server, without generating any certificates yet, so I was using "apachectl start" to make sure the server started up without SSL support. This of course doesn't define "SSL" on the command line, and the entire ssl.conf is wrapped in an <IFdefined SSL>. So therefore, the SSLRandomSeed directive was never getting read, and apache was asking openssl for the default /dev/random. So "apachectl start" seems to be broken if the server is compiled with mod_ssl and the platform does not have a /dev/random. The most obvious fix is to move the SSLRandomSeed directives outside of the IFdefine SSL, making them execute regardless of the SSL setting (but still only included if mod_ssl is present). A patch to do just that for ssl-std.conf.in is included. If this isn't an appropriate solution, or "apachectl start" is not supported for ssl-enabled installations, then this should be at least mentioned in the docs or FAQ, probably where the mention of this exact error message occurs (in the "About installation" section), as it seems to be pretty commonly encountered (sometimes with a different root cause, but I'd imagine this one is pretty common judging by the number of identical questions out there on the web with no definitive answer). --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
