On Wed, Nov 10, 1999, dave madden wrote:
> I'm clearly a stupid fsck, but perhaps this tip will help other stupid
> fscks out there running Apache and modssl on Linux.
>
> I was having trouble with long (really long, sometimes) connect times
> on SSL connections. Sometimes things would go through immediately, or
> within a second or two, but often it would be 20 seconds before data
> started coming back. Well, I'd configured SSL to use the high-quality
> random data from /dev/random (Linux gurus can stop reading here --
> I've just told you what I did wrong) but that device won't give you
> any more data than it has collected entropy. That is, /dev/random
> maintains a pool of randomness that is fed by external, presumably
> unpredictable, events. When the pool runs dry, you have to wait for
> some random stuff to happen before you'll get the data you tried to
> read.
>
> So Apache was reading from this limited resource, and sometimes (if I
> was moving the mouse, or typing, or had a lot of disk activity
> happening) there'd be enough random data to generate a key or whatever
> modssl needed, but other times it had to wait until "things"
> happened. Tough to debug if you're thinking it's maybe network
> problems or something, but a quick strace will show what's really
> happening.
>
> Anyway, the solution is to use /dev/urandom, which never runs dry, as
> your source for the SSLRandomSeed lines.
Yes, and details about this situation and problem are in the mod_ssl
documentation since a long time - directly under the entry for SSLRandomSeed.
But people often like it more to waste time instead of reading documentation
first... ;) I've now also added an FAQ entry about this topic to increase the
chance people find the answer. Thanks for your hint.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
