Bobcares

SSLRandomSeed cannot occur within VirtualHost section – How to fix?

by | Jan 13, 2021

Facing SSLRandomSeed cannot occur within VirtualHost section? We can help you.

Here, at Bobcares, we assist our customers with several VirtualHost queries as part of our Server Management Services.

Today, let us see the cause and fix of this error.

 

SSLRandomSeed cannot occur within VirtualHost section

While we restart apache, we might receive the error:

# ./apachectl startssl
Syntax error on line 983 of /kit/conf/httpd.conf:
SSLRandomSeed cannot occur within <VirtualHost> section
../apachectl startssl: httpd could not be started

This error occurs when the SSLRandomSeed directive is specified inside the VirtualHost section.

SSLRandomSeed directive

SSLRandomSeed directive configures one or more sources for seeding the Pseudo Random Number Generator (PRNG) in OpenSSL at startup time and/or just before a new SSL connection.

We can only use this directive in the global server context because the PRNG is a global facility.

The syntax of the SSLRandomSeed directive is given below:

SSLRandomSeed context source [bytes]

The following source variants are available:

  • builtin

This is the always available builtin seeding source. Its usage consumes minimum CPU cycles under runtime.

The drawback is that at startup time this source just produces a few bytes of entropy. So we should always, at least for the startup, use an additional seeding source.

  • file:/path/to/source

This variant uses an external file /path/to/source as the source for seeding the PRNG.

When bytes are specified, only the first bytes number of bytes of the file form the entropy. When bytes are not specified the whole file forms the entropy.

We use this especially at startup time, for instance with available /dev/random and/or /dev/urandom devices.

However, /dev/random provides only as much entropy data as it actually has, i.e. when we request 512 bytes of entropy, but if the device has only 100 bytes available two things can happen: On some platforms, we receive only the 100 bytes while on other platforms the read blocks until enough bytes are available.

Here using an existing /dev/urandom is better, because it never blocks and actually gives the amount of requested data. The drawback is just that the quality of data may not be the best.

  • exec:/path/to/program

This variant uses an external executable /path/to/program as the source for seeding the PRNG.

When bytes is specified, only the first bytes number of bytes of its stdout contents form the entropy. When bytes are not specified, the entirety of the data produced on stdout forms the entropy.

We use this only at startup time when we need a very strong seeding with the help of an external program. Using this in the connection context slows down the server too dramatically. So usually we should avoid using external programs in that context.

  • egd:/path/to/egd-socket (Unix only)

This variant uses the Unix domain socket of the external Entropy Gathering Daemon (EGD) to seed the PRNG. We use this if no random device exists on our platform.

For example,

SSLRandomSeed startup builtin
SSLRandomSeed startup “file:/dev/random”
SSLRandomSeed startup “file:/dev/urandom” 1024
SSLRandomSeed startup “exec:/usr/local/bin/truerand” 16
SSLRandomSeed connect builtin
SSLRandomSeed connect “file:/dev/random”
SSLRandomSeed connect “file:/dev/urandom” 1024

 

Solution for SSLRandomSeed cannot occur within VirtualHost section

In order to resolve this error, an effective method is to move the SSLRandomSeed directives higher up in the conf file, before the VirtualHost sections.

It will be better to specify directly under the <IfDefine SSL> or prior to that.

[The error prevails? We can help you resolve]

 

Conclusion

In short, SSLRandomSeed cannot occur within VirtualHost section trigger when the SSLRandomSeed directive is specified inside the VirtualHost section. Today, we saw an effective method our Support Engineers employ to fix this error.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.