From owner-freebsd-questions@FreeBSD.ORG Thu Apr 8 02:58:47 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 84FCC16A4CF for ; Thu, 8 Apr 2004 02:58:47 -0700 (PDT) Received: from pd2mq1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 605E143D5F for ; Thu, 8 Apr 2004 02:58:47 -0700 (PDT) (envelope-from rmvg@shaw.ca) Received: from pd3mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0HVT00AH9Q219W@l-daemon> for freebsd-questions@freebsd.org; Wed, 07 Apr 2004 17:18:01 -0600 (MDT) Received: from pd5mr5so.prod.shaw.ca (pd5mr5so-qfe3.prod.shaw.ca [10.0.141.181]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0HVT00HDSP565C@l-daemon> for freebsd-questions@freebsd.org; Wed, 07 Apr 2004 16:58:18 -0600 (MDT) Received: from pn2ml9so.prod.shaw.ca ([10.0.121.7]) by pd5mr5so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0HVT00G1AP7JFJ10@pd5mr5so.prod.shaw.ca> for freebsd-questions@freebsd.org; Wed, 07 Apr 2004 16:59:43 -0600 (MDT) Received: from shaw.ca (h68-146-233-221.cg.shawcable.net [68.146.233.221]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0HVT00D08P58XH@l-daemon> for freebsd-questions@freebsd.org; Wed, 07 Apr 2004 16:58:20 -0600 (MDT) Date: Wed, 07 Apr 2004 16:58:24 -0600 From: RYAN vAN GINNEKEN In-reply-to: <20040407222702.GA66122@happy-idiot-talk.infracaninophile.co.uk> To: Matthew Seaman Message-id: <40748790.9050206@shaw.ca> MIME-version: 1.0 Content-type: text/plain; format=flowed; charset=ISO-8859-1 Content-transfer-encoding: 7BIT X-Accept-Language: en-us, en User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113 References: <406F324B.1050005@shaw.ca> <20040404112328.GB7849@happy-idiot-talk.infracaninophile.co.uk> <4072488A.7050200@shaw.ca> <20040406090720.GB17361@happy-idiot-talk.infracaninophile.co.uk> <4074751E.2070607@shaw.ca> <20040407222702.GA66122@happy-idiot-talk.infracaninophile.co.uk> cc: freebsd-questions@freebsd.org Subject: Re: startssl at boot time X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2004 09:58:47 -0000 THANKS but i already have that line in my rc.conf file and the log entries that i have submitted to this list are not from a reboot but rather apachectl stop and start or startssl. So when i run a startssl i get the randomness i need however when i just use apachectl start which is 99.9% the same command it does not. honestly i am stumped hope you have some more wisdom to share. There is also the line about ssl cache i have do some googleing but have not been able to come up with anything that helps. Matthew Seaman wrote: >On Wed, Apr 07, 2004 at 03:39:42PM -0600, RYAN vAN GINNEKEN wrote: > > > >>Seems to initialize ssl but my ssl page still does not work however my >>regular page does work. Here is a print out of the log file when i do >>an apachectl stop and apachectl startssl. when i use startssl >>everything work great including my ssl page. >> >> > > > >>[Wed Apr 07 13:20:08 2004] [info] Init: Seeding PRNG with 0 bytes of entropy >>[Wed Apr 07 13:20:08 2004] [warn] Init: Session Cache is not configured >>[hint: SSLSess >> >> > >The fact that you can do an apachectl startssl and have everything >work as desired means that you're 99.99% of the way to gettting it all >to work. The modification to the apache2.sh script I sent you last >time sould force that script to always run 'apachectl startssl' >itself, so that shouldn't be the problem. > >Hmmm... I think that perhaps the problem arises from when the >apache2.sh script is run. I'm guessing that the 'Seeding PRNG' line >is significant -- it aparently means that there is no random data yet >available from /dev/random at the point when apache is started up in >the boot sequence. As you're running 4.9, that can be cured by >telling the system to use some appropriate IRQs as sources of >randomness. First run: > > % vmstat -i > >and look for the IRQs where there are a lot of interrupts generated. >Not the 'clk' or 'rtc' interrupts, as those are clock ticks, firing at >regular intervals, which is worse than useless as a source of >randomness. I find that irq12 (psm0 -- the mouse), irq1 (atkbd0 -- >the keyboard), irq11 (mux -- multiplex: but this is network activity >mostly) and irq15 (mux -- multiplex again, but disk activity mostly) >work well for me, but you will have to choose 2 or 3 or 4 suitable >IRQs on your own system to harvest for randomness. > >Then add them to /etc/rc.conf > > rand_irqs="1 11 12 15" > >Then reboot. (See rndcontrol(8) for more details) > >With luck, and a following wind, there will be sufficient system >activity during startup that there will be sufficient random data >available to prime the PRNG used by OpenSSL, which should let apache >start up automatically. > > Cheers, > > Matthew > > >