httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <>
Subject Re: how to avoid balancer manager nonce?
Date Sat, 01 Sep 2012 16:39:00 GMT
On Sat, Sep 1, 2012 at 4:47 PM, Jim Jagielski <> wrote:
> Another alternative would be to have the nonce also possibly
> set at config-time and, if unset, then use the uuid. That way
> it could also be used as a sort of shared-secret ;)
>         ProxySet nonce="applepie!"
> Longer term, I think that's a more "strategic" solution.

What? Nonces are one-time use only, by definition.

Better, IMO, would be to either use insecure random, or, better still,
seed a PRNG from secure random once and use that from then on (for all

Or switch to FreeBSD where /dev/random does not block :-)

> On Aug 31, 2012, at 2:14 PM, Stefan Fritsch <> wrote:
>> On Friday 31 August 2012, Eric Covener wrote:
>>> I'm fighting a problem on new releases of AIX where in some
>>> environments, /dev/random seems to run out of entropy way too
>>> quick.
>>> I'd like a way to suppress the apr_uuid_get->
>>> apr_generate_random_bytes() in mod_proxy_balancer used for the
>>> balancer-manager nonce in affected environments.
>>> I was thinking a global "BalancerManager off" could be used for
>>> this and would also have the upside of fixing the SetHandler
>>> htaccess problem.
>>> Alternatives would be to find a weaker source for the nonce, or
>>> allow tto opt out / use a hard-coded one.
>>> Any suggestions?
>> For 2.4, you could use ap_random_insecure_bytes(). It should be good
>> enough for a nonce.
>> If you add a "BalancerManager off", it should be per directory, or at
>> least per vhost. Otherwise it would not help that much with the
>> SetHandler htaccess problem.

View raw message