Problem starting Apache (yes I have read the FAQs!)

Hi all -

This seems to be a commonly reported problem, but for all the archives
and FAQs I've read, I am no further forward. Here is the situation:

Apache 1.3.26, openSSL 0.9.6g, mod_ssl 2.8.10-1.3.26, Compaq Tru64 UNIX
4.0F.

On starting Apache, it immediately exits and logs the following in the
error log file:

[Tue Aug 20 15:50:13 2002] [error] mod_ssl: Init: Failed to generate
temporary 512 bit RSA private key (OpenSSL library error follows)
[Tue Aug 20 15:50:13 2002] [error] OpenSSL: error:24064064:random number
generator:SSLEAY_RAND_BYTES:PRNG not seeded
[Tue Aug 20 15:50:13 2002] [error] OpenSSL: error:04069003:rsa
routines:RSA_generate_key:BN lib

The FAQ refers to the SSLRandomSeed directive; this is set in the
httpd.conf file as

SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

(As I'm running on Tru64 I don't have the option of using /dev/random)

It also refers to problems at the "make certificate" stage; that seems
to have gone through without any problems.

I've also read that there are problems with PHP, so I have removed all
reference in the httpd.conf file to the dynamic PHP module, and for good
measure the dynamic Apache Jserv module, so these are not loading. Still
no diference.

Can anyone offer me some more pointers?

Thanks

Richard

--

Richard Rogers
IT Services, Staffordshire University
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Problem starting Apache (yes I have read the FAQs!)

On Tue, 20 Aug 2002 rmr1@staffs.ac.uk wrote:

> The FAQ refers to the SSLRandomSeed directive; this is set in the
> httpd.conf file as
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
> (As I'm running on Tru64 I don't have the option of using /dev/random)

Try using prngd ...

http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/p rngd.html

Hope this helps,
Cliff

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Problem starting Apache (yes I have read the FAQs!)

there's more info on this in the reference manual, than the FAQ.

http://www.modssl.org/docs/2.8/ssl_reference.html#ToC4

Basically try changing the 'startup' one to use a
file:/path/to/file/with/junk/in/it that points at a file with something
random enough in it - I'm not mr crypto, but, by random I take it that
something an outside party cant guess ought to be enough, and you need
to experiment with file lengths a bit to find what works enough - some
people advocate using the syslog output. Of course if you're just
hacking around and you dont care that the NSA or the Home Office might
be able to decrypt your ssl streams, then why stress out about it?

the 'connect' one however should get by using the builtin or see if you
can get egd working - this one does affect performance, so avoid using
the exec: option because spawning processes is not cheap on resources.

rmr1@staffs.ac.uk wrote:

>Hi all -
>
>This seems to be a commonly reported problem, but for all the archives
>and FAQs I've read, I am no further forward. Here is the situation:
>
>Apache 1.3.26, openSSL 0.9.6g, mod_ssl 2.8.10-1.3.26, Compaq Tru64 UNIX
>4.0F.
>
>On starting Apache, it immediately exits and logs the following in the
>error log file:
>
>[Tue Aug 20 15:50:13 2002] [error] mod_ssl: Init: Failed to generate
>temporary 512 bit RSA private key (OpenSSL library error follows)
>[Tue Aug 20 15:50:13 2002] [error] OpenSSL: error:24064064:random number
>generator:SSLEAY_RAND_BYTES:PRNG not seeded
>[Tue Aug 20 15:50:13 2002] [error] OpenSSL: error:04069003:rsa
>routines:RSA_generate_key:BN lib
>
>The FAQ refers to the SSLRandomSeed directive; this is set in the
>httpd.conf file as
>
>SSLRandomSeed startup builtin
>SSLRandomSeed connect builtin
>
>(As I'm running on Tru64 I don't have the option of using /dev/random)
>
>It also refers to problems at the "make certificate" stage; that seems
>to have gone through without any problems.
>
>I've also read that there are problems with PHP, so I have removed all
>reference in the httpd.conf file to the dynamic PHP module, and for good
>measure the dynamic Apache Jserv module, so these are not loading. Still
>no diference.
>
>Can anyone offer me some more pointers?
>
>Thanks
>
>Richard
>
>--
>
>Richard Rogers
>IT Services, Staffordshire University
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>
>


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Problem starting Apache (yes I have read the FAQs!)

On Tue, 20 Aug 2002 20:48:26 +0100
"Peter Viertel" wrote:

> there's more info on this in the reference manual, than the FAQ.
>
> http://www.modssl.org/docs/2.8/ssl_reference.html#ToC4
>
> Basically try changing the 'startup' one to use a
> file:/path/to/file/with/junk/in/it that points at a file with something
> random enough in it - I'm not mr crypto, but, by random I take it that > something an outside party cant guess ought to be enough, and you need
Actally something like "having an autocorrelation function which looks like a dirac delta function" is better.
Since an algorithm can never produce real random, there are actually "hardware random generators" using a source like zener noise for random.

Regards.
mr. (paranoid) crypto.



> to experiment with file lengths a bit to find what works enough - some
> people advocate using the syslog output. Of course if you're just
> hacking around and you dont care that the NSA or the Home Office might
> be able to decrypt your ssl streams, then why stress out about it?
>

I do care, they are always after me, realy!


> the 'connect' one however should get by using the builtin or see if you
> can get egd working - this one does affect performance, so avoid using
> the exec: option because spawning processes is not cheap on resources.
>
> rmr1@staffs.ac.uk wrote:
>
> >Hi all -
> >
> >This seems to be a commonly reported problem, but for all the archives
> >and FAQs I've read, I am no further forward. Here is the situation:
> >
> >Apache 1.3.26, openSSL 0.9.6g, mod_ssl 2.8.10-1.3.26, Compaq Tru64 UNIX
> >4.0F.
> >
> >On starting Apache, it immediately exits and logs the following in the
> >error log file:
> >
> >[Tue Aug 20 15:50:13 2002] [error] mod_ssl: Init: Failed to generate
> >temporary 512 bit RSA private key (OpenSSL library error follows)
> >[Tue Aug 20 15:50:13 2002] [error] OpenSSL: error:24064064:random number
> >generator:SSLEAY_RAND_BYTES:PRNG not seeded
> >[Tue Aug 20 15:50:13 2002] [error] OpenSSL: error:04069003:rsa
> >routines:RSA_generate_key:BN lib
> >
> >The FAQ refers to the SSLRandomSeed directive; this is set in the
> >httpd.conf file as
> >
> >SSLRandomSeed startup builtin
> >SSLRandomSeed connect builtin
> >
> >(As I'm running on Tru64 I don't have the option of using /dev/random)
> >
> >It also refers to problems at the "make certificate" stage; that seems
> >to have gone through without any problems.
> >
> >I've also read that there are problems with PHP, so I have removed all
> >reference in the httpd.conf file to the dynamic PHP module, and for good
> >measure the dynamic Apache Jserv module, so these are not loading. Still
> >no diference.
> >
> >Can anyone offer me some more pointers?
> >
> >Thanks
> >
> >Richard
> >
> >--
> >
> >Richard Rogers
> >IT Services, Staffordshire University
> >___________________________________________________________ ___________
> >Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> >User Support Mailing List modssl-users@modssl.org
> >Automated List Manager majordomo@modssl.org
> >
> >
>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Problem starting Apache (yes I have read the FAQs!)

On Tue, 20 Aug 2002 20:48:26 +0100
"Peter Viertel" wrote:

> there's more info on this in the reference manual, than the FAQ.
>
> http://www.modssl.org/docs/2.8/ssl_reference.html#ToC4
>
> Basically try changing the 'startup' one to use a
> file:/path/to/file/with/junk/in/it that points at a file with something
> random enough in it - I'm not mr crypto, but, by random I take it that > something an outside party cant guess ought to be enough, and you need
Actally something like "having an autocorrelation function which looks like a dirac delta function" is better.
Since an algorithm can never produce real random, there are actually "hardware random generators" using a source like zener noise for random.

Regards.
mr. (paranoid) crypto.



> to experiment with file lengths a bit to find what works enough - some
> people advocate using the syslog output. Of course if you're just
> hacking around and you dont care that the NSA or the Home Office might
> be able to decrypt your ssl streams, then why stress out about it?
>

I do care, they are always after me, realy!


> the 'connect' one however should get by using the builtin or see if you
> can get egd working - this one does affect performance, so avoid using
> the exec: option because spawning processes is not cheap on resources.
>
> rmr1@staffs.ac.uk wrote:
>
> >Hi all -
> >
> >This seems to be a commonly reported problem, but for all the archives
> >and FAQs I've read, I am no further forward. Here is the situation:
> >
> >Apache 1.3.26, openSSL 0.9.6g, mod_ssl 2.8.10-1.3.26, Compaq Tru64 UNIX
> >4.0F.
> >
> >On starting Apache, it immediately exits and logs the following in the
> >error log file:
> >
> >[Tue Aug 20 15:50:13 2002] [error] mod_ssl: Init: Failed to generate
> >temporary 512 bit RSA private key (OpenSSL library error follows)
> >[Tue Aug 20 15:50:13 2002] [error] OpenSSL: error:24064064:random number
> >generator:SSLEAY_RAND_BYTES:PRNG not seeded
> >[Tue Aug 20 15:50:13 2002] [error] OpenSSL: error:04069003:rsa
> >routines:RSA_generate_key:BN lib
> >
> >The FAQ refers to the SSLRandomSeed directive; this is set in the
> >httpd.conf file as
> >
> >SSLRandomSeed startup builtin
> >SSLRandomSeed connect builtin
> >
> >(As I'm running on Tru64 I don't have the option of using /dev/random)
> >
> >It also refers to problems at the "make certificate" stage; that seems
> >to have gone through without any problems.
> >
> >I've also read that there are problems with PHP, so I have removed all
> >reference in the httpd.conf file to the dynamic PHP module, and for good
> >measure the dynamic Apache Jserv module, so these are not loading. Still
> >no diference.
> >
> >Can anyone offer me some more pointers?
> >
> >Thanks
> >
> >Richard
> >
> >--
> >
> >Richard Rogers
> >IT Services, Staffordshire University
> >___________________________________________________________ ___________
> >Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> >User Support Mailing List modssl-users@modssl.org
> >Automated List Manager majordomo@modssl.org
> >
> >
>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org