Joe Orton wrote:
On Tue, Mar 25, 2008 at 09:49:20PM -0600, Jonathan Steffan wrote:
Thanks Jeff. This seems to have helped some. What are we supposed to do about a rpm package that needs to generate keys in %post? Just hope users are patient enough?
Use something which does not consume the /dev/random entropy pool; I can't see a way to make GnuTLS certtool do that, but /usr/bin/openssl can. The mod_ssl %post does:
%{_bindir}/openssl genrsa -rand /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime 1024 > %{sslkey} 2> /dev/null
I've been meaning to split this out into a script since the dummy keypair generation is copied and pasted into several places. The list of /proc files probably needs updating too.
What package are you working on here?
mod_gnutls
http://jsteffan.fedorapeople.org/SRPMS/mod_gnutls-0.2.0-2.fc8.src.rpm
The SELinux stuff still remains, and I've come to find out that mod_gnutls is not playing nice with mod_proxy, so I might not even end up using mod_gnutls.