No problem Venkatesh.No, I don't know how to generate entropy in Apache because I think Apache uses the system entropy.You can check how many are available via: "cat /proc/sys/kernel/random/entropy_avail".Under the system I know of two different packages, one rngd and the other haveged.Therngddaemon, which is a part of the rng-tools package, is capable of using both environmental noise and hardware random number generators for extracting entropy. The daemon checks whether the data supplied by the source of randomness is sufficiently random and then stores it in the kernel's random-number entropy pool. The random numbers it generates are made available through the/dev/randomand/dev/urandomcharacter devices.The haveged project is an attempt to provide an easy-to-use, unpredictable random number generator based upon an adaptation of the HAVEGE algorithm. Haveged was created to remedy low-entropy conditions in the Linux random device that can occur under some workloads, especially on headless servers. Current development of haveged is directed towards improving overall reliability and adaptability while minimizing the barriers to using haveged for other tasks.What OS are you using? Redhat CentOS etc . . .On Thu, Sep 23, 2021 at 2:06 PM alchemist vk <alchemist.vk@xxxxxxxxx> wrote:Thanks Dewitt for your inputs.Will check from system perspective how to generate more entropy and resolve this issue.Do you know, how to generate more entropy in system or via apache so that it can never be deprived of entropy?With Regards,VenkateshOn Thu, Sep 23, 2021 at 8:46 PM Otis Dewitt - NOAA Affiliate <otis.dewitt@xxxxxxxx.invalid> wrote:Hmm I see, I not sure why you did not get this right away when switching from openssl to openssl-fips because FIPS require a lot of entropyand if this is on VMWARE, that has very poor entropy unless you use entropy generator like "haveged" or load virtio_rng kernel module.As I said before I am not sure how you will fix this without generating more entropy, it seems the system is unable to create enough andthere is no way around this.On Thu, Sep 23, 2021 at 1:15 AM alchemist vk <alchemist.vk@xxxxxxxxx> wrote:Thanks Jon for openssl command confirmation.@ylavik,Its linux OS and openssl version is 1.1.1k-fips. I not yet explored with SSLRandomSeed changes.Yes, we upgraded openssl few months back to 1.1.1k, but we are seeing this httpd hangs issue from last month.@otis Dewitt, Since its production code in systems, I cant install haveged and try it out.On Thu, Sep 23, 2021 at 4:57 AM Otis Dewitt - NOAA Affiliate <otis.dewitt@xxxxxxxx.invalid> wrote:I don't think "insufficient entropy" has anything to do with Apache, but you could try installing "haveged" rpm.That may solve your problem.On Wed, Sep 22, 2021 at 2:11 PM alchemist vk <alchemist.vk@xxxxxxxxx> wrote:Hi All,We are using httpd version 2.4.46 and its working fine for a long time. But recently, we started seeing an issue where apache hangs indefinitely even when the system is in idle state.And when apache hangs, I see below entries in error_log:[Tue Sep 21 22:05:53.243013 2021] [ssl:warn] [pid 5769:tid 2644435888] AH01990: Server: PRNG still contains insufficient entropy![Tue Sep 21 22:05:54.501476 2021] [ssl:warn] [pid 5769:tid 2787111856] AH01990: Server: PRNG still contains insufficient entropy![Tue Sep 21 22:05:54.502449 2021] [ssl:warn] [pid 5769:tid 2787111856] AH01990: Server: PRNG still contains insufficient entropy!...........I am pretty sure, we not changed anything related to httpd config for quite a time time and have no idea, why this issue started getting manifested now.Please help me how to RC this and what logs can be looked to debug further?PS: Occurence of issue is more in systems where FIPS is enabled. In FIPS disabled systems, occurrence is less.With RegardsVenkat
|