DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25867>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=25867 [patch] SSL random number seeding errors on startup ------- Additional Comments From [EMAIL PROTECTED] 2004-01-03 17:20 ------- Whoops. I've got a static mod_ssl, and the only place IFDefine appeared in the default config files was in ssl-std.conf wrapping the whole thing. Didn't realize it was used in shared mod_ssl configurations, and that is definitely going to cause a problem. Looks like this only applies to static mod_ssl compliations, and that a different fix is needed. I'm not very familiar with the apache codebase, but it would seem that the real fix is to not initialize mod_ssl at all if SSL is not defined at runtime. That would solve the problem and would make the most sense. If you're not asking for ssl to be turned on, then it probably should not get initialized (which then requires the directives that get explicitly excluded when you run the server without -DSSL, leading to this little catch 22). Maybe I'll poke around and see if this possible (probably take me a while though). As for the FAQ, right now, when someone asks this question, they get told to look at the FAQ, and even if they read and understand this item completely, there is still more to it. Currently in the affected configuration, you can change SSLRandomSeed all you like; it never gets read out of the config file. You either need to move it out of the IFdefine, or recompile the server with a different default random socket. So the quickest interim solution would just be to tack this on in the FAQ right in the section you mention: "When mod_ssl is compiled into your httpd statically, you must start it with the -DSSL flag (or use "apachectl startssl"), otherwise the SSLRandomSeed directive will be ignored, and the compiled-in default will be used." I do think that just a plain start command without -DSSL should work to start httpd without SSL support, since starting with SSL support may not always be desireable (or possible if the person starting the server doesn't know the passphrase for the key). --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
