On Mon, Jan 15, 2001 at 04:19:57PM +0100, [EMAIL PROTECTED] wrote:
> On Mon, Jan 15, 2001 at 14:54pm +0100 Lutz Jaenicke <
> [EMAIL PROTECTED]> wrote:
>
> > It is in my ssl_engine_log, as of httpd.conf:
> >SSLLog /var/local/apache/log/ssl_engine_log
>
> I set my SSLLogLevel to info and got the following:
>
> [15/Jan/2001 16:08:15 01103] [info] Init: Loading certificate & private key of
> SSL-aware server cs71.esoc.esa.de:443
>
> Nothing before that, and nothing after it. In my primary error log I found:
>
> [Mon Jan 15 16:08:15 2001] [error] mod_ssl: Init: Failed to generate temporary
> 512 bit RSA private key
>
> This was because egd hadn't, for some reason, got running by the time apache
> tried to start. Which throws me back to the original question - how do I delay
> apache until egd is running.
>
> And before you suggest I do a ps -ef | grep egd and test the response I tried
> that. It always seemed to pass, but apache still wasn't running when the machine
> came up!!
Hmm. I am running HP-UX (no /dev/*random) and did use egd for quite some
time. I started it early in the bootup sequence and it did gather enough
entropy to initially seed apache (started several steps later in the startup
sequence). I even run three apache servers (one for test purposes to test
pages before uploading them and one for our internal CVSweb only), EGD did
gather enought to feed all three of them.
Ok, let's try to figure out some ideas:
* I mainly think that your configuration does not even access your EGD
sockets (this because there is no 'seed' entry in the log).
* I have written my own PRNGD which has an egd compatible interface, so that
apache can query it. It imitates a /dev/urandom like behaviour by having
an internal PseudoRNG so that it is never drained. On startup it reads
a seed-save file so that it is immediatly ready to server random numbers.
You can find it at
http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html
As you will see, HP-UX, Solaris, IRIX and NextStep are supported.
(Unixware is already in 0.3.1, but I am still working with the contributor
of the Unixware patches since prngd does not work because of a
"bind(): invalid argument" failure we could not yet figure out.
I will give it a last try tonight, then probably release 0.3.1 with a warning
about Unixware and look for help from somebody with Unixware "in_depth"
experience.)
> Sorry about that - it's this *?*?*?*?*?*?*? Lotus Notes. That's the only way
> it's got of citing. Stinks, doesn't it? Before you ask, I hand crafted this
> response.
:-)
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
