Re: Generating temporary RSA private keys

Thu, 13 May 1999 23:34:34 -0700 

On Wed, May 12, 1999, Colin Scott wrote:

> I'm getting a long delay when starting up apache using "apachectl startssl"
> that I don't get when I start it without enabling ssl i.e. "apachectl
> start". The delay is always 4 minutes during which time any browser that
> tries to connect to the server will lock-up [i.e. no error is returned from
> the server so the browser either waits or retries the request?]!! Here is
> some info from the "ssl_engine_log" file:

> [...]
> [12/May/1999 14:48:17] [info]  Init: Generating temporary RSA private keys
> [12/May/1999 14:52:13] [info]  Init: Initializing (virtual) servers for SSL
> [...]
> 
> 1. Is the 4 minute delay normal for a 50Mhz Sparc processor?

Yes, keep in mind that key*s* (actually 2) are generated and this can take
such long. It's not deterministic how long it will actually take (because the
RSA key generation is a random process), but in the worst case it can take a
few minutes on slow machines. On my PII/400 it takes between 10sec and 30sec,
on my slower SPARCs it takes between 30sec and 60sec. And when you're SPARC
has already a higher load plus the random process of generating the keys takes
a little bit long, 4 minutes sound not ununsual.

> 2. What does the line "Generating temporary RSA private keys" mean?

Err? It means that two temporary RSA private keys are generated which are
needed for the SSL protocol, especially for the export ciphers.

> 3. If this is a "normal" process going on can we at least have the server
> tell the browsers it's busy or something???

No, we can't. Because we need the keys before we can usually speak HTTPS.  I
understand that 4 minutes of startup time is nasty and I've not observed such
a long time myself. But I'll look whether I can at least delay the generation
of the 1024-bit private key...
                                       Ralf S. Engelschall
                                       [EMAIL PROTECTED]
                                       www.engelschall.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to