On Sun, Mar 07, 1999, Sampo Kellomaki wrote:
> I recently had a problem with a web server mysteriously blocking
> sometimes, especially if I would restart it often. As I run somewhat
> complex config with mod_perl and other stuff I thought there might be
> some compatibility problem, but then I found that it was blocking
> on read from /dev/random. I should have known.
>
> As a tip for others: if you seed your random numbers (SSLRandomSeed)
> from /dev/random, you risk your server startup and connections
> blocking undeterministically when not enough randomness is
> available. Just use /dev/urandom and you'll be fine (although you
> loose a bit in security).
>
> Actually this problem is more severe on lightly used servers because
> idleness provides few sources of randomness.
>
> Perhaps the comments in httpd.conf.default of mod_ssl should clearly
> mention the consequences of using /dev/random.
The problem is that /dev/random behaves differently from platform to platform.
For instance on your platform when /dev/random has not enough entropy
available it blocks. On FreeBSD you receive just an EOF before the requested
amount of requested data is available, i.e. the device gives you only as much
as entropy as it actually has. OTOH /dev/urandom not everywhere exists.
Hmmm.. but at least I'll add a few hints to the documentation section for
SSLRandomSeed. Thanks for the hint.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
