httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: how to avoid balancer manager nonce?
Date Wed, 05 Sep 2012 11:42:05 GMT
On 31.08.2012 15:45, Eric Covener wrote:
> I'm fighting a problem on new releases of AIX where in some
> environments, /dev/random seems to run out of entropy way too quick.
>
> I'd like a way to suppress the apr_uuid_get->
> apr_generate_random_bytes() in mod_proxy_balancer used for the
> balancer-manager nonce in affected environments.

Doesn't it only call apr_uuid_get() during creation of the balancer 
worker? So IMHO it should be only a problem during startup.

> I was thinking a global "BalancerManager off" could be used for this

For 2.4 there already seems to be a configurable "nonce" attribute for 
each balancer allowing the special value "None". Not so for 2.2.

> and would also have the upside of fixing the SetHandler htaccess
> problem.

Not sure what the "SetHandler htaccess" problem is.

> Alternatives would be to find a weaker source for the nonce, or allow
> tto opt out / use a hard-coded one.
>
> Any suggestions?

Concerning the more recent discussion on this topic: it seems the nonce 
was introduced in r661666 to counter a possible CSRF attack against the 
balancer manager (CVE-2007-6420). Configurability was aded later.

Regards,

Rainer


Mime
View raw message