You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Gregor Schneider <rc...@googlemail.com> on 2008/09/01 11:21:43 UTC
Re: APR & SSL not working
Hi Markus,
On Fri, Aug 29, 2008 at 5:52 PM, Markus Schönhaber
<to...@list-post.mks-mail.de> wrote:
> Gregor Schneider schrieb:
>
> Search the list archives. There has more than once been discussion about
> this topic. For example
> http://marc.info/?l=tomcat-user&m=118190563608389&w=2
> Maybe this helps.
>
actually it did, thanks a lot for the hint.
The solution was:
- create an .rnd-file within the user-space:
openssl rand -out $HOME/.rnd 2048
- compile the APR with /dev/urandom:
./configure --with-apr=/usr/bin/apr-1-config \\
--with-devrandom=/dev/urandom \\
--prefix=/home/tomcat/www/lib
make && make install
Now it seems to work like charm.
Again, thanks for shedding some light..
Gregor
--
what's puzzlin' you, is the nature of my game
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @ http://pgpkeys.pca.dfn.de:11371
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: APR & SSL not working
Posted by Gregor Schneider <rc...@googlemail.com>.
Hi Marcus,
On Mon, Sep 1, 2008 at 4:56 PM, Markus Schönhaber
<to...@list-post.mks-mail.de> wrote:
>
> Is the libtcnative your Tomcat uses really linked against your self-compiled
> version of APR (ldd to check)?
>
looks as if you're becoming my personal hero...
I just had the development-headers of the APR installed, meaning the
APR was the pre-compiled Debian-version.
Now I've downloaded the APR-sources, compiled them with
./configure --with-devrandom=/dev/urandom
make && make install
Really a big, big thanks for helping me to make it work!
Gregor
--
what's puzzlin' you, is the nature of my game
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @ http://pgpkeys.pca.dfn.de:11371
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: APR & SSL not working
Posted by Markus Schönhaber <to...@list-post.mks-mail.de>.
Gregor Schneider wrote:
> seems I was a bit too optimistic...
>
> although I compiled APR with /dev/urandomPLUS creating $HOME/.rnd
> (changed 2048 to 4096 since this is the value specified in
> /proc/sys/kernal/poolsize), it's again taking ages to start up tomcat.
AFAIK is /dev/urandom guaranteed not to block. If initializing the HTTPS
connector takes very long nevertheless, I'd make sure that /dev/urandom
is indeed used - and not /dev/random. You could, for example, use lsof
to check.
Is the libtcnative your Tomcat uses really linked against your
self-compiled version of APR (ldd to check)?
> Do you know of any additional option to speed up the process of
> creating some entropy?
I'm not sure, but maybe a lot of activity generated in a ssh session
might help too.
Regards
mks
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: APR & SSL not working
Posted by Gregor Schneider <rc...@googlemail.com>.
Hi Markus,
seems I was a bit too optimistic...
although I compiled APR with /dev/urandomPLUS creating $HOME/.rnd
(changed 2048 to 4096 since this is the value specified in
/proc/sys/kernal/poolsize), it's again taking ages to start up tomcat.
Since this is a server-machine where I just can't "move the mouse or
hack the keyboard" to create some entropy, I'm again stuck here.
Do you know of any additional option to speed up the process of
creating some entropy?
Since we're stuck to Tomcat 5.5, unfortunately Tomcat 6 with the new
config is not an option.
Cheers
Gregor
--
what's puzzlin' you, is the nature of my game
gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2
gpgp-key available @ http://pgpkeys.pca.dfn.de:11371
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: APR & SSL not working
Posted by Markus Schönhaber <to...@list-post.mks-mail.de>.
Gregor Schneider wrote:
> The solution was:
>
> - create an .rnd-file within the user-space:
>
> openssl rand -out $HOME/.rnd 2048
>
> - compile the APR with /dev/urandom:
>
> ./configure --with-apr=/usr/bin/apr-1-config \\
> --with-devrandom=/dev/urandom \\
> --prefix=/home/tomcat/www/lib
>
> make && make install
>
> Now it seems to work like charm.
If you configure APR to use /dev/urandom, creating a static ranndom file
shouldn't be necessary.
BTW: in Tomcat 6 (starting with 6.0.17?) the AprLifecycleListener
supports the attribute SSLRandomSeed:
<http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html#Edit%20the%20Tomcat%20Configuration%20File>
This is supposed to set the random source used by APR. As I understand
it (haven't tried it myself) one should be able to set this, for
example, to /dev/urandom or a static random file and speed things up
even if APR was compiled with /dev/random as default random source.
Regards
mks
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org