Re: how to avoid balancer manager nonce?
Does the following address the issue? http://svn.apache.org/viewvc?rev=1383490view=rev On Sep 8, 2012, at 11:30 AM, Eric Covener cove...@gmail.com wrote: But the call to apr_uuid_get() is still done, even if the person used the nonce attribute. Thats what I suggested fixing... +1 -- Eric Covener cove...@gmail.com
Re: how to avoid balancer manager nonce?
On Tue, Sep 11, 2012 at 1:51 PM, Jim Jagielski j...@jagunet.com wrote: Does the following address the issue? http://svn.apache.org/viewvc?rev=1383490view=rev Looks like it, desk-checked only. Thanks!
Re: how to avoid balancer manager nonce?
CSRF against balancer_manager... Looks like jorton himself was the person who first referenced and defined it as a nonce. On Sep 5, 2012, at 7:08 AM, Ben Laurie b...@links.org wrote: On Wed, Sep 5, 2012 at 11:57 AM, Jim Jagielski j...@jagunet.com wrote: FWIW, I have time this week to impl this... Feedback/Concerns? I still want to know what the nonce is actually for! Are you going to make me read the code and guess? On Sep 1, 2012, at 11:47 AM, Jim Jagielski j...@jagunet.com wrote: Another alternative would be to have the nonce also possibly set at config-time and, if unset, then use the uuid. That way it could also be used as a sort of shared-secret ;) ProxySet nonce=applepie! Longer term, I think that's a more strategic solution. On Aug 31, 2012, at 2:14 PM, Stefan Fritsch s...@sfritsch.de wrote: On Friday 31 August 2012, Eric Covener wrote: I'm fighting a problem on new releases of AIX where in some environments, /dev/random seems to run out of entropy way too quick. I'd like a way to suppress the apr_uuid_get- apr_generate_random_bytes() in mod_proxy_balancer used for the balancer-manager nonce in affected environments. I was thinking a global BalancerManager off could be used for this and would also have the upside of fixing the SetHandler htaccess problem. Alternatives would be to find a weaker source for the nonce, or allow tto opt out / use a hard-coded one. Any suggestions? For 2.4, you could use ap_random_insecure_bytes(). It should be good enough for a nonce. If you add a BalancerManager off, it should be per directory, or at least per vhost. Otherwise it would not help that much with the SetHandler htaccess problem.
Re: how to avoid balancer manager nonce?
On Sep 5, 2012, at 7:42 AM, Rainer Jung rainer.j...@kippdata.de wrote: On 31.08.2012 15:45, Eric Covener wrote: I'm fighting a problem on new releases of AIX where in some environments, /dev/random seems to run out of entropy way too quick. I'd like a way to suppress the apr_uuid_get- apr_generate_random_bytes() in mod_proxy_balancer used for the balancer-manager nonce in affected environments. Doesn't it only call apr_uuid_get() during creation of the balancer worker? So IMHO it should be only a problem during startup. Yep, at least as far as I can recall... The actual call is done via ap_proxy_define_balancer(). I was thinking a global BalancerManager off could be used for this For 2.4 there already seems to be a configurable nonce attribute for each balancer allowing the special value None. Not so for 2.2. But the call to apr_uuid_get() is still done, even if the person used the nonce attribute. Thats what I suggested fixing...
Re: how to avoid balancer manager nonce?
But the call to apr_uuid_get() is still done, even if the person used the nonce attribute. Thats what I suggested fixing... +1 -- Eric Covener cove...@gmail.com
Re: how to avoid balancer manager nonce?
FWIW, I have time this week to impl this... Feedback/Concerns? On Sep 1, 2012, at 11:47 AM, Jim Jagielski j...@jagunet.com wrote: Another alternative would be to have the nonce also possibly set at config-time and, if unset, then use the uuid. That way it could also be used as a sort of shared-secret ;) ProxySet nonce=applepie! Longer term, I think that's a more strategic solution. On Aug 31, 2012, at 2:14 PM, Stefan Fritsch s...@sfritsch.de wrote: On Friday 31 August 2012, Eric Covener wrote: I'm fighting a problem on new releases of AIX where in some environments, /dev/random seems to run out of entropy way too quick. I'd like a way to suppress the apr_uuid_get- apr_generate_random_bytes() in mod_proxy_balancer used for the balancer-manager nonce in affected environments. I was thinking a global BalancerManager off could be used for this and would also have the upside of fixing the SetHandler htaccess problem. Alternatives would be to find a weaker source for the nonce, or allow tto opt out / use a hard-coded one. Any suggestions? For 2.4, you could use ap_random_insecure_bytes(). It should be good enough for a nonce. If you add a BalancerManager off, it should be per directory, or at least per vhost. Otherwise it would not help that much with the SetHandler htaccess problem.
Re: how to avoid balancer manager nonce?
On 5 Sep 2012, at 11:57, Jim Jagielski j...@jagunet.com wrote: FWIW, I have time this week to impl this... Feedback/Concerns? Only the term 'nonce' - It has very unfortunate connotations from UK english. [1] :-) [1] - http://en.wikipedia.org/wiki/Nonce_(slang) Cheers, Tony -- Tony Stevenson t...@pc-tony.com t...@caret.cam.ac.uk pct...@apache.org http://www.pc-tony.com GPG - 1024D/51047D66 --
Re: how to avoid balancer manager nonce?
On Wed, Sep 5, 2012 at 11:57 AM, Jim Jagielski j...@jagunet.com wrote: FWIW, I have time this week to impl this... Feedback/Concerns? I still want to know what the nonce is actually for! Are you going to make me read the code and guess? On Sep 1, 2012, at 11:47 AM, Jim Jagielski j...@jagunet.com wrote: Another alternative would be to have the nonce also possibly set at config-time and, if unset, then use the uuid. That way it could also be used as a sort of shared-secret ;) ProxySet nonce=applepie! Longer term, I think that's a more strategic solution. On Aug 31, 2012, at 2:14 PM, Stefan Fritsch s...@sfritsch.de wrote: On Friday 31 August 2012, Eric Covener wrote: I'm fighting a problem on new releases of AIX where in some environments, /dev/random seems to run out of entropy way too quick. I'd like a way to suppress the apr_uuid_get- apr_generate_random_bytes() in mod_proxy_balancer used for the balancer-manager nonce in affected environments. I was thinking a global BalancerManager off could be used for this and would also have the upside of fixing the SetHandler htaccess problem. Alternatives would be to find a weaker source for the nonce, or allow tto opt out / use a hard-coded one. Any suggestions? For 2.4, you could use ap_random_insecure_bytes(). It should be good enough for a nonce. If you add a BalancerManager off, it should be per directory, or at least per vhost. Otherwise it would not help that much with the SetHandler htaccess problem.
Re: how to avoid balancer manager nonce?
On Wed, Sep 5, 2012 at 12:02 PM, Tony Stevenson pct...@apache.org wrote: On 5 Sep 2012, at 11:57, Jim Jagielski j...@jagunet.com wrote: FWIW, I have time this week to impl this... Feedback/Concerns? Only the term 'nonce' - It has very unfortunate connotations from UK english. [1] :-) Sadly, we lost that battle a long time ago, it is a term of art in crypto/security - which is why, btw, I want to know what it is actually used for, because generally predictable nonces are a _really bad idea_, and that is what is currently proposed. I'm assuming that whoever wrote the code wasn't a complete idiot and did not use cryptographic randomness for no reason. But perhaps they did, as Jim seems to think. [1] - http://en.wikipedia.org/wiki/Nonce_(slang) Cheers, Tony -- Tony Stevenson t...@pc-tony.com t...@caret.cam.ac.uk pct...@apache.org http://www.pc-tony.com GPG - 1024D/51047D66 --
Re: how to avoid balancer manager nonce?
On 31.08.2012 15:45, Eric Covener wrote: I'm fighting a problem on new releases of AIX where in some environments, /dev/random seems to run out of entropy way too quick. I'd like a way to suppress the apr_uuid_get- apr_generate_random_bytes() in mod_proxy_balancer used for the balancer-manager nonce in affected environments. Doesn't it only call apr_uuid_get() during creation of the balancer worker? So IMHO it should be only a problem during startup. I was thinking a global BalancerManager off could be used for this For 2.4 there already seems to be a configurable nonce attribute for each balancer allowing the special value None. Not so for 2.2. and would also have the upside of fixing the SetHandler htaccess problem. Not sure what the SetHandler htaccess problem is. Alternatives would be to find a weaker source for the nonce, or allow tto opt out / use a hard-coded one. Any suggestions? Concerning the more recent discussion on this topic: it seems the nonce was introduced in r661666 to counter a possible CSRF attack against the balancer manager (CVE-2007-6420). Configurability was aded later. Regards, Rainer
Re: how to avoid balancer manager nonce?
Another alternative would be to have the nonce also possibly set at config-time and, if unset, then use the uuid. That way it could also be used as a sort of shared-secret ;) ProxySet nonce=applepie! Longer term, I think that's a more strategic solution. On Aug 31, 2012, at 2:14 PM, Stefan Fritsch s...@sfritsch.de wrote: On Friday 31 August 2012, Eric Covener wrote: I'm fighting a problem on new releases of AIX where in some environments, /dev/random seems to run out of entropy way too quick. I'd like a way to suppress the apr_uuid_get- apr_generate_random_bytes() in mod_proxy_balancer used for the balancer-manager nonce in affected environments. I was thinking a global BalancerManager off could be used for this and would also have the upside of fixing the SetHandler htaccess problem. Alternatives would be to find a weaker source for the nonce, or allow tto opt out / use a hard-coded one. Any suggestions? For 2.4, you could use ap_random_insecure_bytes(). It should be good enough for a nonce. If you add a BalancerManager off, it should be per directory, or at least per vhost. Otherwise it would not help that much with the SetHandler htaccess problem.
Re: how to avoid balancer manager nonce?
On Sat, Sep 1, 2012 at 4:47 PM, Jim Jagielski j...@jagunet.com wrote: Another alternative would be to have the nonce also possibly set at config-time and, if unset, then use the uuid. That way it could also be used as a sort of shared-secret ;) ProxySet nonce=applepie! Longer term, I think that's a more strategic solution. What? Nonces are one-time use only, by definition. Better, IMO, would be to either use insecure random, or, better still, seed a PRNG from secure random once and use that from then on (for all randomness). Or switch to FreeBSD where /dev/random does not block :-) On Aug 31, 2012, at 2:14 PM, Stefan Fritsch s...@sfritsch.de wrote: On Friday 31 August 2012, Eric Covener wrote: I'm fighting a problem on new releases of AIX where in some environments, /dev/random seems to run out of entropy way too quick. I'd like a way to suppress the apr_uuid_get- apr_generate_random_bytes() in mod_proxy_balancer used for the balancer-manager nonce in affected environments. I was thinking a global BalancerManager off could be used for this and would also have the upside of fixing the SetHandler htaccess problem. Alternatives would be to find a weaker source for the nonce, or allow tto opt out / use a hard-coded one. Any suggestions? For 2.4, you could use ap_random_insecure_bytes(). It should be good enough for a nonce. If you add a BalancerManager off, it should be per directory, or at least per vhost. Otherwise it would not help that much with the SetHandler htaccess problem.
Re: how to avoid balancer manager nonce?
On Sep 1, 2012, at 12:39 PM, Ben Laurie b...@links.org wrote: On Sat, Sep 1, 2012 at 4:47 PM, Jim Jagielski j...@jagunet.com wrote: Another alternative would be to have the nonce also possibly set at config-time and, if unset, then use the uuid. That way it could also be used as a sort of shared-secret ;) ProxySet nonce=applepie! Longer term, I think that's a more strategic solution. What? Nonces are one-time use only, by definition. Then we change the name from nonce to something else... Preventing or arguing against a solid, reliable fix and enhancement because it's called something is pretty bogus. Or the other thing, other than renaming it, is to not be so pedantic... after all, how long did we have 'MaxRequestsPerChild'? ;) Better, IMO, would be to either use insecure random, or, better still, seed a PRNG from secure random once and use that from then on (for all randomness). Or switch to FreeBSD where /dev/random does not block :-) On Aug 31, 2012, at 2:14 PM, Stefan Fritsch s...@sfritsch.de wrote: On Friday 31 August 2012, Eric Covener wrote: I'm fighting a problem on new releases of AIX where in some environments, /dev/random seems to run out of entropy way too quick. I'd like a way to suppress the apr_uuid_get- apr_generate_random_bytes() in mod_proxy_balancer used for the balancer-manager nonce in affected environments. I was thinking a global BalancerManager off could be used for this and would also have the upside of fixing the SetHandler htaccess problem. Alternatives would be to find a weaker source for the nonce, or allow tto opt out / use a hard-coded one. Any suggestions? For 2.4, you could use ap_random_insecure_bytes(). It should be good enough for a nonce. If you add a BalancerManager off, it should be per directory, or at least per vhost. Otherwise it would not help that much with the SetHandler htaccess problem.
Re: how to avoid balancer manager nonce?
On Sat, Sep 1, 2012 at 8:13 PM, Jim Jagielski j...@jagunet.com wrote: On Sep 1, 2012, at 12:39 PM, Ben Laurie b...@links.org wrote: On Sat, Sep 1, 2012 at 4:47 PM, Jim Jagielski j...@jagunet.com wrote: Another alternative would be to have the nonce also possibly set at config-time and, if unset, then use the uuid. That way it could also be used as a sort of shared-secret ;) ProxySet nonce=applepie! Longer term, I think that's a more strategic solution. What? Nonces are one-time use only, by definition. Then we change the name from nonce to something else... Preventing or arguing against a solid, reliable fix and enhancement because it's called something is pretty bogus. Sure, if its not a nonce, fine by me. Is it not a nonce? What is its purpose? Or the other thing, other than renaming it, is to not be so pedantic... after all, how long did we have 'MaxRequestsPerChild'? ;) Whatever. The core problem is that /dev/random blocks, and we've already seen that working around this leads to problems. Better, IMO, would be to either use insecure random, or, better still, seed a PRNG from secure random once and use that from then on (for all randomness). Or switch to FreeBSD where /dev/random does not block :-) On Aug 31, 2012, at 2:14 PM, Stefan Fritsch s...@sfritsch.de wrote: On Friday 31 August 2012, Eric Covener wrote: I'm fighting a problem on new releases of AIX where in some environments, /dev/random seems to run out of entropy way too quick. I'd like a way to suppress the apr_uuid_get- apr_generate_random_bytes() in mod_proxy_balancer used for the balancer-manager nonce in affected environments. I was thinking a global BalancerManager off could be used for this and would also have the upside of fixing the SetHandler htaccess problem. Alternatives would be to find a weaker source for the nonce, or allow tto opt out / use a hard-coded one. Any suggestions? For 2.4, you could use ap_random_insecure_bytes(). It should be good enough for a nonce. If you add a BalancerManager off, it should be per directory, or at least per vhost. Otherwise it would not help that much with the SetHandler htaccess problem.
how to avoid balancer manager nonce?
I'm fighting a problem on new releases of AIX where in some environments, /dev/random seems to run out of entropy way too quick. I'd like a way to suppress the apr_uuid_get- apr_generate_random_bytes() in mod_proxy_balancer used for the balancer-manager nonce in affected environments. I was thinking a global BalancerManager off could be used for this and would also have the upside of fixing the SetHandler htaccess problem. Alternatives would be to find a weaker source for the nonce, or allow tto opt out / use a hard-coded one. Any suggestions?
Re: how to avoid balancer manager nonce?
On 8/31/2012 8:45 AM, Eric Covener wrote: Alternatives would be to find a weaker source for the nonce, or allow tto opt out / use a hard-coded one. +1... also, couldn't the nonce get in the way of rest-like calls to the balancer manager to disable/enable/modify members? -- Daniel Ruggeri
Re: how to avoid balancer manager nonce?
On Friday 31 August 2012, Eric Covener wrote: I'm fighting a problem on new releases of AIX where in some environments, /dev/random seems to run out of entropy way too quick. I'd like a way to suppress the apr_uuid_get- apr_generate_random_bytes() in mod_proxy_balancer used for the balancer-manager nonce in affected environments. I was thinking a global BalancerManager off could be used for this and would also have the upside of fixing the SetHandler htaccess problem. Alternatives would be to find a weaker source for the nonce, or allow tto opt out / use a hard-coded one. Any suggestions? For 2.4, you could use ap_random_insecure_bytes(). It should be good enough for a nonce. If you add a BalancerManager off, it should be per directory, or at least per vhost. Otherwise it would not help that much with the SetHandler htaccess problem.