Apache Start-up error
am 21.08.2002 16:15:03 von kishorshahFriends,
I am trying to start-up Apache but getting the following errors:
[Wed Aug 21 09:52:02 2002] [warn] Init: PRNG still contains insufficient entropy
[Wed Aug 21 09:52:02 2002] [error] Init: Failed to generate temporary 512 bit RS
A private key
My environment is, Solaris 2.8, Apache 2.0.40 with mod_ssl, OpenSSL 0.96g.
I have tried various things in ssl.conf file:
1) Using the default setting for SSLRandomSeed directive.
SSLRandomSeed startup builtin
2) Creating a file with random data and trying,
#SSLRandomSeed startup file:/tmp/.rnd 1024
3) One thread suggested to put the directives in the httpd.conf, but that did not help either.
What am I doing wrong here and how can I resolve this ? Any help/suggestions are greatly appreciated as I'm new to Apache/SSL world.
Thanks,
Kishor Shah
email - kishorshah@lucent.com
-----Original Message-----
From: Edward Wong [mailto:ed_l_wong@hotmail.com]
Sent: Wednesday, August 21, 2002 1:43 AM
To: modssl-users@modssl.org
Subject: Re: Corrupt Jar and Cab files
One more thing: this issue actually applies to all files of any type.
Anything bigger than about 30K gets truncated.
--Ed
>From: "Edward Wong"
>Reply-To: modssl-users@modssl.org
>To: modssl-users@modssl.org
>Subject: Corrupt Jar and Cab files
>Date: Tue, 20 Aug 2002 16:49:56 -0700
>MIME-Version: 1.0
>X-Originating-IP: [156.153.254.10]
>Received: from [195.27.130.252] by hotmail.com (3.2) with ESMTP id
>MHotMailBF2C214600B44004310CC31B82FC073D0; Tue, 20 Aug 2002 16:52:48 -0700
>Received: by mmx.engelschall.com (Postfix)id 6744E19493; Wed, 21 Aug 2002
>01:52:12 +0200 (CEST)
>Received: from opensource.ee.ethz.ch (opensource-01.ee.ethz.ch
>[129.132.7.153])by mmx.engelschall.com (Postfix) with ESMTP id
>1F9B719389for
>01:52:12 +0200 (CEST)
>Received: by en5.engelschall.com (Sendmail 8.9.2) for modssl-users-Lid
>BAA25227; Wed, 21 Aug 2002 01:51:15 +0200 (MET DST)
>Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for
>
>01:51:02 +0200 (MET DST)
>Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
>Tue, 20 Aug 2002 16:49:57 -0700
>Received: from 156.153.254.10 by lw11fd.law11.hotmail.msn.com with
>HTTP;Tue, 20 Aug 2002 23:49:56 GMT
>From owner-mmx-modssl-users@mmx.engelschall.com Tue, 20 Aug 2002 16:53:34
>-0700
>Message-ID:
>X-OriginalArrivalTime: 20 Aug 2002 23:49:57.0039 (UTC)
>FILETIME=[49D5F3F0:01C248A4]
>Sender: owner-modssl-users@modssl.org
>Precedence: bulk
>X-Sender: "Edward Wong"
>X-List-Manager: Majordomo [version 1.94.4]
>X-List-Name: modssl-users
>
>Hello All,
>
>I'm seeing strange behavior when running apache 2.0.39 on Windows XP, where
>jar and cab files are truncated after after only 16K or so (my jar/cab
>files are actually around 100K). This seems to happen with just about any
>browser, regardless of the JVM. Also, this issue only occurs on Windows
>XP. Win2k, WinNT, and Linux all work properly.
>
>In Windows XP under http, everything seems to work just fine. Under https,
>everything works fine EXCEPT for the jar and cab files. Taking a look at
>the java cache shows that natually, the jar and cab files are missing. My
>ssl conf files are as follows:
>
>-------------------ssl.conf------------------------
>
>#
># This is the Apache server configuration file providing SSL support.
># It contains the configuration directives to instruct the server how to
># serve pages over an https connection. For detailing information about
>these
># directives see
>#
># For the moment, see
># The documents are still being prepared from material donated by the
># modssl project.
>#
>
>#
># When we also provide SSL we have to listen to the
># standard HTTP port (see above) and to the HTTPS port
>#
>
>include conf/ssllisten.conf
>
>##
>## SSL Global Context
>##
>## All SSL configuration in this context applies both to
>## the main server and all SSL-enabled virtual hosts.
>##
>
>#
># Some MIME-types for downloading Certificates and CRLs
>#
>AddType application/x-x509-ca-cert .crt
>AddType application/x-pkcs7-crl .crl
>AddType application/x-509-ca-cert .csr
>
># Pass Phrase Dialog:
># Configure the pass phrase gathering process.
># The filtering dialog program (`builtin' is a internal
># terminal dialog) has to provide the pass phrase on stdout.
>#SSLPassPhraseDialog exec:certificates/getPassword.exe
>
># Inter-Process Session Cache:
># Configure the SSL Session Cache: First the mechanism
># to use and second the expiring timeout (in seconds).
>#SSLSessionCache none
>#SSLSessionCache shmht:logs/ssl_scache(512000)
>#SSLSessionCache shmcb:logs/ssl_scache(512000)
>SSLSessionCache dbm:logs/ssl_scache
>SSLSessionCacheTimeout 300
>
># Semaphore:
># Configure the path to the mutual exclusion semaphore the
># SSL engine uses internally for inter-process synchronization.
>SSLMutex file:logs/ssl_mutex
>
># Pseudo Random Number Generator (PRNG):
># Configure one or more sources to seed the PRNG of the
># SSL library. The seed data should be of good random quality.
># WARNING! On some platforms /dev/random blocks if not enough entropy
># is available. This means you then cannot use the /dev/random device
># because it would lead to very long connection times (as long as
># it requires to make more entropy available). But usually those
># platforms additionally provide a /dev/urandom device which doesn't
># block. So, if available, use this one instead. Read the mod_ssl User
># Manual for more details.
>SSLRandomSeed startup builtin
>SSLRandomSeed connect builtin
>#SSLRandomSeed startup file:/dev/random 512
>#SSLRandomSeed startup file:/dev/urandom 512
>#SSLRandomSeed connect file:/dev/random 512
>#SSLRandomSeed connect file:/dev/urandom 512
>
># Logging:
># The home of the dedicated SSL protocol logfile. Errors are
># additionally duplicated in the general error log file. Put
># this somewhere where it cannot be used for symlink attacks on
># a real server (i.e. somewhere where only root can write).
># Log levels are (ascending order: higher ones include lower ones):
># none, error, warn, info, trace, debug.
>#SSLLog logs/ssl_engine_log
>#SSLLogLevel warn
>
>
># SSL Cipher Suite:
>include conf/ciphers.conf
>
>##
>## SSL Virtual Host Context
>##
>
>include conf/sslvirtualhost.conf
>
>
>
>
>--------and sslvirtualhost.conf--------
>
>
>
>
>#DocumentRoot "doc"
>#ServerAdmin you@your.address
>ErrorLog logs/error_log
>TransferLog logs/access_log
>UseCanonicalName On
>
># SSL Engine Switch:
># Enable/Disable SSL for this virtual host.
>SSLEngine on
>
># Server Certificate:
># Point SSLCertificateFile at a PEM encoded certificate. If
># the certificate is encrypted, then you will be prompted for a
># pass phrase. Note that a kill -HUP will prompt again. A test
># certificate can be generated with `make certificate' under
># built time. Keep in mind that if you've both a RSA and a DSA
># certificate you can configure both in parallel (to also allow
># the use of DSA ciphers, etc.)
>
>SSLCertificateFile certificates/server.crt
>
>
># Server Private Key:
># If the key is not combined with the certificate, use this
># directive to point at the key file. Keep in mind that if
># you've both a RSA and a DSA private key you can configure
># both in parallel (to also allow the use of DSA ciphers, etc.)
>
>SSLCertificateKeyFile certificates/server.key
>
>
># Server Certificate Chain:
># Point SSLCertificateChainFile at a file containing the
># concatenation of PEM encoded CA certificates which form the
># certificate chain for the server certificate. Alternatively
># the referenced file can be the same as SSLCertificateFile
># when the CA certificates are directly appended to the server
># certificate for convinience.
>
>#SSLCertificateChainFile certificates/server.crt
>
>
># Certificate Authority (CA):
># Set the CA certificate verification path where to find CA
># certificates for client authentication or alternatively one
># huge file containing all of them (file must be PEM encoded)
># Note: Inside SSLCACertificatePath you need hash symlinks
># to point to the certificate files. Use the provided
># Makefile to update the hash symlinks after changes.
>#SSLCACertificatePath /Apache2/conf/ssl.crt
>#SSLCACertificateFile /Apache2/conf/ssl.crt/ca-bundle.crt
>
># Certificate Revocation Lists (CRL):
># Set the CA revocation path where to find CA CRLs for client
># authentication or alternatively one huge file containing all
># of them (file must be PEM encoded)
># Note: Inside SSLCARevocationPath you need hash symlinks
># to point to the certificate files. Use the provided
># Makefile to update the hash symlinks after changes.
>#SSLCARevocationPath /Apache2/conf/ssl.crl
>#SSLCARevocationFile /Apache2/conf/ssl.crl/ca-bundle.crl
>
># Client Authentication (Type):
># Client certificate verification type and depth. Types are
># none, optional, require and optional_no_ca. Depth is a
># number which specifies how deeply to verify the certificate
># issuer chain before deciding the certificate is not valid.
>#SSLVerifyClient require
>#SSLVerifyDepth 10
>
># Access Control:
># With SSLRequire you can do per-directory access control based
># on arbitrary complex boolean expressions containing server
># variable checks and other lookup directives. The syntax is a
># mixture between C and Perl. See the mod_ssl documentation
># for more details.
>#
>#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
># and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
># and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
># and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
># and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
># or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
>#
>
># SSL Engine Options:
># Set various options for the SSL engine.
># o FakeBasicAuth:
># Translate the client X.509 into a Basic Authorisation. This means
>that
># the standard Auth/DBMAuth methods can be used for access control.
>The
># user name is the `one line' version of the client's X.509
>certificate.
># Note that no password is obtained from the user. Every entry in the
>user
># file needs this password: `xxj31ZMTZzkVA'.
># o ExportCertData:
># This exports two additional environment variables: SSL_CLIENT_CERT
>and
># SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
># server (always existing) and the client (only existing when client
># authentication is used). This can be used to import the certificates
># into CGI scripts.
># o StdEnvVars:
># This exports the standard SSL/TLS related `SSL_*' environment
>variables.
># Per default this exportation is switched off for performance reasons,
># because the extraction step is an expensive operation and is usually
># useless for serving static content. So one usually enables the
># exportation for CGI and SSI requests only.
># o CompatEnvVars:
># This exports obsolete environment variables for backward
>compatibility
># to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use
>this
># to provide compatibility to existing CGI scripts.
># o StrictRequire:
># This denies access when "SSLRequireSSL" or "SSLRequire" applied even
># under a "Satisfy any" situation, i.e. when it applies access is
>denied
># and no other module can change it.
># o OptRenegotiate:
># This enables optimized SSL connection renegotiation handling when SSL
># directives are used in per-directory context.
>SSLOptions +StdEnvVars +StrictRequire +OptRenegotiate
>
> SSLOptions +StdEnvVars
>
>
>
># SSL Protocol Adjustments:
># The safe and default but still SSL/TLS standard compliant shutdown
># approach is that mod_ssl sends the close notify alert but doesn't wait
>for
># the close notify alert from client. When you need a different shutdown
># approach you can use one of the following variables:
># o ssl-unclean-shutdown:
># This forces an unclean shutdown when the connection is closed, i.e.
>no
># SSL close notify alert is send or allowed to received. This violates
># the SSL/TLS standard but is needed for some brain-dead browsers. Use
># this when you receive I/O errors because of the standard approach
>where
># mod_ssl sends the close notify alert.
># o ssl-accurate-shutdown:
># This forces an accurate shutdown when the connection is closed, i.e.
>a
># SSL close notify alert is send and mod_ssl waits for the close notify
># alert of the client. This is 100% SSL/TLS standard compliant, but in
># practice often causes hanging connections with brain-dead browsers.
>Use
># this only for browsers where you know that their SSL implementation
># works correctly.
># Notice: Most problems of broken clients are also related to the HTTP
># keep-alive facility, so you usually additionally want to disable
># keep-alive for those clients, too. Use variable "nokeepalive" for this.
># Similarly, one has to force some clients to use HTTP/1.0 to workaround
># their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
># "force-response-1.0" for this.
>SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>
># Per-Server Logging:
># The home of a custom SSL log file. Use this when you want a
># compact non-error SSL logfile on a virtual host basis.
>CustomLog logs/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
>
>
>
>Any and all help is greatly appreciated.
>
>--Edward Wong
>
>
>___________________________________________________________ ______
>Send and receive Hotmail on your mobile device: http://mobile.msn.com
>
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
____________________________________________________________ _____
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org