Bug 151200

Summary: enhance apache's SSL passphrase dialog
Product: [openSUSE] SUSE Linux 10.1 Reporter: Peter Poeml <poeml>
Component: NetworkAssignee: Peter Poeml <poeml>
Status: RESOLVED WORKSFORME QA Contact: E-mail List <qa-bugs>
Severity: Enhancement    
Priority: P5 - None CC: suse-beta
Version: Beta 4   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Peter Poeml 2006-02-15 16:30:13 UTC 
Date: Wed, 15 Feb 2006 16:56:34 +0100
From: poeml@cmdline.net
To: suse-linux-e@suse.com
Cc: Josef Wolf <jw@raven.inka.de>
Subject: Re: [SLE] Apache start very slooow...
X-Spam-Status: No, hits=-1.6 tagged_above=-20.0 required=5.0 tests=BAYES_00,
 NO_REAL_NAME

[-- PGP output follows (current time: Wed 15 Feb 2006 05:29:19 PM CET) --]
gpg: Signature made Wed 15 Feb 2006 04:56:33 PM CET using DSA key ID BF8B088D
gpg: Good signature from "Peter Poeml <poeml@cmdline.net>"
[-- End of PGP output --]

[-- The following data is signed --]

On Fri, Feb 10, 2006 at 08:26:56PM +0100, Josef Wolf wrote:
> Hello!
>
> I have configured apache2 on my suse-10.0 box to use
>
>  SSLRandomSeed startup file:/dev/random   512
>  SSLRandomSeed connect file:/dev/urandom  512
>
> and secured the private key for the certificate with a passphrase.  With
> this setting I experience major inconveniencies when the system is booted.
>
> 1. APACHE_START_TIMEOUT is counted from the moment /etc/init.d/apache2
>    is started to run instead of the moment apache asks for the passphrase.
>    Since /dev/random waits until it has enough entropy, the timeout often
>    is expired _before_ the passphrase prompt is printed even with a setting
>    of APACHE_START_TIMEOUT=600.  So I am forced to login and call
>    "/etc/init.d/apache2 start" by hand and possibly run into the timeout
>    again. :-(
>
> 2. Then I tried to set a very large timeout (3600 seconds), just to make
>    sure that there is always enough time until the passphrase is asked.
>    With this setting the script _always_ waits until the timout expires.
>    Even if the passphrase is entered withhin 60 seconds, apache will
>    not start serving until the 3600 seconds expire.
>
> 3. When the system is booted, no logins are started on the virtual terminals
>    until apache timeout expires.  So I have to wait for 3600 seconds until
>    I can login.
>
> It would be nice if it would be possible to have following behaviour:
>
>
> - Timeout starts at the moment the passphrase prompt is presented.
> - When passphrase is entered, apache immediately starts serving instead
>   of waiting until the timeout expires.
> - At least one login should be started on a virtual terminal, so one have a
>   chance to accelerate entropy gathering via "find / >/dev/null" or
>   "ping -f some.host.on.my.lan" or some such.
>
> Any ideas how this could be improved?

Your description of the issues is as detailed as exact.

It needs to be improved inside apache. Or an external program could be
used to query for the passphrase -- and it could run on another virtual
console (like vt8), but asynchroneously.

Unfortunately, the apache itself will wait forever for a passphrase, it
doesn't have a timeout yet, so this is not very suitable for booting.

it is also possible that multiple certificates are configured, and multiple
passphrases need to be entered for decryption.

BTW, My personal workaround (so far) is to either put the passphrase(s)
onto disk, or to start apache without SSL during booting, and once the
system is booted, log in and restart it with SSL, entering the
passphrases then.

I will put this as enhancement request into bugzilla, so it doesn't get
lost.

Thanks,
Peter

[-- End of signed data --]
Comment 1 Peter Poeml 2006-11-10 14:44:01 UTC 
As no work has happened on this in the last years, and there are always
more important issues on the plate, I am closing this bug as worksforme.