When you have a machine that does not generate a lot of entropy, cups can take an extremely long time to generate the SSL keys. Could you please provide a pkg_config or pkg_postinst section that uses the ssl-cert.eclass install_cert() to generate a cert and key file ahead of time? I just ran into this on my G5 workstation (quad PPC970MP, 12Gb RAM), where I've got a lot of memory, so the hard drive rarely spins up (to contribute to entropy). I [14/Dec/2007:02:14:56 -0800] Generating SSL server key... I [14/Dec/2007:02:19:57 -0800] Created SSL server key file "/etc/cups/ssl/server.key"... I [14/Dec/2007:02:19:57 -0800] Generating self-signed SSL certificate... I [14/Dec/2007:02:19:57 -0800] Created SSL server certificate file "/etc/cups/ssl/server.crt"... D [14/Dec/2007:02:20:04 -0800] encrypt_client: 8 Connection from 172.16.9.2 now encrypted. Upstream GnuTLS developers seem to be aware that their code uses more entropy than the OpenSSL implementations to generate keys and certs: http://lists.gnupg.org/pipermail/gnutls-dev/2006-February/001049.html
hack-patch: @4,4@ + inherit ssl-cert @END,END@ + use ssl && install_cert /etc/cups/ssl/server }
This issue is an absolute PITA: I [21/Jan/2008:17:08:38 +0100] Generating SSL server key... I [21/Jan/2008:17:32:21 +0100] Created SSL server key file "/etc/cups/ssl/server .key"... I [21/Jan/2008:17:32:21 +0100] Generating self-signed SSL certificate... I [21/Jan/2008:17:32:21 +0100] Created SSL server certificate file "/etc/cups/ss l/server.crt"... Please, hack'em all! ;-) \m/
But is this still an issue with newer gnutls. In NEWS file I found: * Version 2.1.4 (released 2007-10-27) ** certtool: Add option --disable-quick-random to enable the old behaviour of using /dev/random to generate keys. * Version 2.1.2 (released 2007-10-14) ** certtool: Add option --quick-random. For generating low security test credentials. And in ChangeLog: 2007-10-24 Nikos Mavrogiannopoulos <nmav@gnutls.org> * src/certtool-gaa.c, src/certtool-gaa.h, src/certtool.gaa, src/cli.c, src/serv.c: /dev/urandom is used now by default for key generation. The option --disable-quick-random was introduced. Seems that this is fixed in gnutls... Could somebody confirm that?
(In reply to comment #3) > > Seems that this is fixed in gnutls... Could somebody confirm that? > Yes, net-libs/gnutls-2.2.2 seems to solve this issue. I [11/Mar/2008:19:06:05 +0100] Listening to /var/run/cups/cups.sock on fd 3... I [11/Mar/2008:19:19:32 +0100] Generating SSL server key... I [11/Mar/2008:19:19:32 +0100] Created SSL server key file "/etc/cups/ssl/server.key"... I [11/Mar/2008:19:19:32 +0100] Generating self-signed SSL certificate... I [11/Mar/2008:19:19:32 +0100] Created SSL server certificate file "/etc/cups/ssl/server.crt"... Almost immediate 8)
Then it's better not to add workaround for this issue into portage tree. Thank you, Davide, for report back. Already fixed UPSTREAM.
This still seems to be an issue. # emerge --info Portage 2.1.4.4 (default/linux/amd64/2008.0/no-multilib, gcc-4.1.2, glibc-2.6.1-r0, 2.6.25-gentoo-r7 x86_64) ================================================================= System uname: 2.6.25-gentoo-r7 x86_64 AMD Athlon(tm) 64 Processor 3200+ Timestamp of tree: Wed, 27 Aug 2008 05:45:01 +0000 app-shells/bash: 3.2_p33 dev-lang/python: 2.5.2-r6 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 2.0.0 sys-apps/openrc: 0.2.5 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.61-r2 sys-devel/automake: 1.5, 1.10.1 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=athlon64 -msse3 -O2 -pipe -fomit-frame-pointer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-march=athlon64 -msse3 -O2 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks metadata-transfer parallel-fetch sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://gentoo.mirrors.tds.net/gentoo" LDFLAGS="-Wl,-O1" LINGUAS="en_US en" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage" USE="3dnow acl acpi amd64 bash-completion berkdb bzip2 cli cracklib crypt cups dri gdbm gnutls gpm iconv ieee1394 isdnlog jpeg jpeg2k ldap mailwrapper midi mmx mudflap ncurses nls nptl nptlonly openmp pam pcre perl php png postgres pppd python readline reflection samba session spl sse sse2 sse3 ssl sysfs tcpd tiff truetype unicode usb vhosts xml xorg zip zlib" ALSA_CARDS="hda-intel usb-audio" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="auth_basic auth_digest authn_file authz_host cache dir disk_cache dav log_config mime" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LINGUAS="en_US en" USERLAND="GNU" VIDEO_CARDS="nv" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY # emerge -pv gnutls cups [ebuild R ] net-libs/gnutls-2.2.5 USE="nls zlib -bindist -doc -guile -lzo" [ebuild R ] net-print/cups-1.3.7-r1 USE="acl jpeg ldap nls pam perl php png ppds python samba ssl tiff -X -avahi -dbus -java -kerberos -slp -static -zeroconf" LINGUAS="en -de -es -et -fr -he -it -ja -pl -sv -zh_TW" # snippet from /var/log/cups/error_log I [27/Aug/2008:18:35:57 -0500] Listening to /var/run/cups/cups.sock (Domain) I [27/Aug/2008:18:35:57 -0500] Listening to 0.0.0.0:631 (IPv4) I [27/Aug/2008:18:35:57 -0500] Listening to :::631 (IPv6) I [27/Aug/2008:18:35:57 -0500] Loaded configuration file "/etc/cups/cupsd.conf" I [27/Aug/2008:18:35:57 -0500] Using default TempDir of /var/spool/cups/tmp... I [27/Aug/2008:18:35:57 -0500] Configured for up to 100 clients. I [27/Aug/2008:18:35:57 -0500] Allowing up to 100 client connections per host. I [27/Aug/2008:18:35:57 -0500] Using policy "default" as the default! I [27/Aug/2008:18:35:57 -0500] Full reload is required. I [27/Aug/2008:18:35:57 -0500] Loaded MIME database from '/etc/cups': 35 types, 39 filters... I [27/Aug/2008:18:35:57 -0500] Full reload complete. I [27/Aug/2008:18:35:57 -0500] Cleaning out old temporary files in "/var/spool/cups/tmp"... I [27/Aug/2008:18:35:57 -0500] Listening to /var/run/cups/cups.sock on fd 3... I [27/Aug/2008:18:35:57 -0500] Listening to 0.0.0.0:631 on fd 4... E [27/Aug/2008:18:35:57 -0500] Unable to open listen socket for address :::631 - Address family not supported by protocol. I [27/Aug/2008:18:35:57 -0500] Resuming new connection processing... I [27/Aug/2008:18:36:23 -0500] Generating SSL server key... I [27/Aug/2008:19:14:15 -0500] Created SSL server key file "/etc/cups/ssl/server.key"... I [27/Aug/2008:19:14:15 -0500] Generating self-signed SSL certificate... I [27/Aug/2008:19:14:15 -0500] Created SSL server certificate file "/etc/cups/ssl/server.crt"...
Same issue here, with * net-print/cups-1.3.8-r1 * net-libs/gnutls-2.5.4 Temporary solution: build cups with "gnutls" USE flag disabled.
We added note about long time required to generate certificates in bug 254867. So, does solution in this blog post helps you: http://burtonini.com/blog/computers/cups-2006-08-14-18-00 ?
Is this still an issue? I [09/Jul/2009:01:07:01 +0200] Generating SSL server key... I [09/Jul/2009:01:07:14 +0200] Created SSL server key file "/etc/cups/ssl/server.key"... Works quite ok here with cups-1.3.11 and gnutls-2.8.1, apart from that we have a gnutls USE flag now to disable the use of gnutls and favor openssl instead.
(In reply to comment #9) (2009) > Is this still an issue? > > I [09/Jul/2009:01:07:01 +0200] Generating SSL server key... > I [09/Jul/2009:01:07:14 +0200] Created SSL server key file > "/etc/cups/ssl/server.key"... > > Works quite ok here with cups-1.3.11 and gnutls-2.8.1, apart from that we have > a gnutls USE flag now to disable the use of gnutls and favor openssl instead. Seems not. If you disagree, please re-open.
