How does Apache interpret multiple SSLRandomSeed sources

apache-2.2 ssl mod-ssl entropy-pool

In my Apache configuration I have these lines:

SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/random
SSLRandomSeed connect file:/dev/urandom 1024

How, exactly, does Apache interpret this? Does it first try builtin and then move to /dev/random if that fails? If it uses /dev/random, and /dev/random then runs out of entropy, does it automatically switch to /dev/urandom? Is there an Apache document somewhere that explains all this?


It is not stated in Apache docs, but looking at ssl_engine_rand.c (apache 2.2.21 here) you can see that the function ssl_rand_seed iterates over all the defined SSLRandomSeed sources, ultimately calling the OpenSSL RAND_seed function unless there is a failure.

Refering to the OpenSSL man page for RAND_seed, every successful call to it will add entropy to the state of the PRNG.

At the end, it asks OpenSSL if seeding is sufficient trough RAND_status.

So, if you define many sources, it will use all of these that work, and combine their entropy.

Related

How to manually run application as "IIS APPPOOL\MyAppPool" user
How to copy many Scheduled Tasks between Windows Server 2008 machines?
How do I convince Dell blades to PXE Boot
nginx error_page for 502 Bad Gateway errors
How to disable Request Filtering for a specific website on IIS 7.5?
Ping hostname works but nslookup to hostname doesn't
Security when SSH private keys are lost
Is bonding mode=5 a solution against MAC flapping?
NIC Teaming with Broadcom on HyperV 2008 R2
No common encryption algorithm(s) (ssl_error_no_cypher_overlap)
Server 08 RDP: possible to warn if same user is already connected?
Forwarding serial port over network and back to serial char device on remote host (socat?)