How does Apache interpret multiple SSLRandomSeed sources

In my Apache configuration I have these lines:

SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/random
SSLRandomSeed connect file:/dev/urandom 1024

How, exactly, does Apache interpret this? Does it first try builtin and then move to /dev/random if that fails? If it uses /dev/random, and /dev/random then runs out of entropy, does it automatically switch to /dev/urandom? Is there an Apache document somewhere that explains all this?


It is not stated in Apache docs, but looking at ssl_engine_rand.c (apache 2.2.21 here) you can see that the function ssl_rand_seed iterates over all the defined SSLRandomSeed sources, ultimately calling the OpenSSL RAND_seed function unless there is a failure.

Refering to the OpenSSL man page for RAND_seed, every successful call to it will add entropy to the state of the PRNG.

At the end, it asks OpenSSL if seeding is sufficient trough RAND_status.

So, if you define many sources, it will use all of these that work, and combine their entropy.