Re: OT: Long connect times...

Fri, 12 Nov 1999 01:44:47 -0800 

On Thu, Nov 11, 1999, Steve Freitas wrote:

> > #   Pseudo Random Number Generator (PRNG):
> > #   Configure one or more sources to seed the PRNG of the 
> > #   SSL library. The seed data should be of good random quality.
> >+#   WARNING! On some platforms /dev/random blocks if not enough entropy
> >+#   is available. This means you then cannot use the /dev/random device
> >+#   because it would lead to very long connection times (as long as
> >+#   it requires to make more entropy available). But usually those
> >+#   platforms additionally provide a /dev/urandom device which doesn't
> >+#   block. So, if available, use this one instead. Read the mod_ssl User
> >+#   Manual for more details.
> 
> AH-HA!
> 
> I've been fighting miscellaneous pauses on my machine for a while now (RH 
> 6.1 i386). It would pause sometimes when I'd hit my webserver's frontpage 
> (where among other things a random number gets generated), sometimes when 
> I'd login with SSH (where it grabs a random for its encryption, 
> presumably), etc.
> 
> So I did a simple "more /dev/random", and it sat there pausing until I 
> popped up a menu in Gnome. As I spaced down, it kept pausing until I 
> generated activity. "more /dev/urandom" generated no such pauses.
> 
> Given that my machine is pausing all over the place (Apache, SSH, 
> Sendmail, etc.), is there a way to generate entropy to prevent random 
> from blocking? Having to change all that sourcecode would be excessive 
> and well beyond my skill.

Usually any type of system activity adds entropy, ranging from disk I/O to
input on keyboards and other devices. As an easy workaround you perhaps could
try to make /dev/random a link to /dev/random ;) Then you don't have your
programs to recompile. But be aware that /dev/urandom produces not as good
random values as /dev/random, of course...

                                       Ralf S. Engelschall
                                       [EMAIL PROTECTED]
                                       www.engelschall.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to