How does Apache interpret multiple SSLRandomSeed sources
In my Apache configuration I have these lines:
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/random
SSLRandomSeed connect file:/dev/urandom 1024
How, exactly, does Apache interpret this? Does it first try builtin and then move to /dev/random
if that fails? If it uses /dev/random
, and /dev/random
then runs out of entropy, does it automatically switch to /dev/urandom
? Is there an Apache document somewhere that explains all this?
It is not stated in Apache docs, but looking at ssl_engine_rand.c
(apache 2.2.21 here) you can see that the function ssl_rand_seed
iterates over all the defined SSLRandomSeed sources, ultimately calling the OpenSSL RAND_seed
function unless there is a failure.
Refering to the OpenSSL man page for RAND_seed
, every successful call to it will add entropy to the state of the PRNG.
At the end, it asks OpenSSL if seeding is sufficient trough RAND_status
.
So, if you define many sources, it will use all of these that work, and combine their entropy.