James- As Phil says, CASCookieEntropy does not affect the entropy gather for the SSL work internal to m-a-c. I've been running into this problem myself on some low-use boxes, and I'm planning (when time allows) to look at the rng-tools for a solution. If you have the chance, I'd recommend taking a look at them - and if you do, please let us know your results.
Thanks, -Matt On Wed, 2008-02-06 at 05:40 -0800, James Chabot-Weingart wrote: > We are having similar problems with a Debian Etch server on OpenVZ > (protecting AWstats). I tried changing the CASCookieEntropy to 32, 16, and > 8 (reloading apache each time), but it doesn't seem to have made a > difference. I can still watch the entropy tick up until it passes 64, then > goes back down to zero and slowly accumulates again. > > I upgraded to mod_auth_cas version 1.0.6 (was 1.0.5), but it still does not > seem to be respecting the directive. > > Here is my auth_cas.conf: > > CASLoginURL https://login.uconn.edu/cas/login > CASValidateURL https://login.uconn.edu/cas/serviceValidate > CASCertificatePath /etc/ssl/certs/uconnCA.pem > CASTimeout 7200 > CASIdleTimeout 3600 > CASCookiePath /tmp/cas/ > CASCookieEntropy 32 > > server-info shows the correct CASCookieEntropy value, so apache seems to > know about it. It seems like I must be missing something obvious, but I > can't figure out what. My next step is going to be tweaking the debugging > code, so that I can get mod_auth_cas to tell me what it thinks > CASCookieEntropy is at a couple of different spots. > > I appreciate your time. > > Thank you, > -James > > > > Matt is spot on here. These were my thoughts: > > * Have you changed the CASCookieEntropy value? > > * What is your /proc/sys/kernel/random/entropy_avail value (especially > when seeing this slowdown? Try 'watch -n 0 cat > /proc/sys/kernel/random/entropy_avail') > > * Is this being done in an isolated VM? If so, can you try it on a more > active VM or 'real' machine that has entropy sources? > > -Phil > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Smith, Matt > Sent: Tuesday, December 18, 2007 1:17 PM > To: Yale CAS mailing list > Subject: Re: mod_auth_cas 'pause'. > > Robert- > Three thoughts: > > 1) Are you running under virtualization (VMWare, Xen, etc)? We've seen > a couple small problems with entropy generation in that scenario. You > can try reducing CASCookieEntropy to something smaller than 32, say, 16. > > 2) Make sure the directory specified by CASCookiePath exists, has proper > permissions, and has space. > > 3) Is CASCertificatePath pointing to a directory (the default is > /etc/ssl/certs/)? If so, try pointing directly to the single cert > representing your CAS server's signing CA. Sometimes the directory > lookup takes some time. > > Please let us know if any of this seems to help. > > HTH, > -Matt -- Matt Smith [EMAIL PROTECTED] University Information Technology Services (UITS) University of Connecticut PGP Key ID: 0xE9C5244E
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
