From 1107ede716461049033d6a5b311e14c742c9363a Mon Sep 17 00:00:00 2001 From: Eric Wong Date: Mon, 18 Apr 2011 15:34:29 -0700 Subject: reseed OpenSSL PRNG upon fork() of workers OpenSSL seeds its PRNG with the process ID, so if a process ID is recycled, there's a chance of indepedent workers getting repeated PRNG sequences over a long time period iff the same PID is used. This only affects deployments that meet both of the following conditions: 1) OpenSSL::Random.random_bytes is called before forking 2) worker (but not master) processes are die unexpectedly The SecureRandom module in Ruby (and Rails) uses the OpenSSL PRNG if available. SecureRandom is used by Rails and called when the application is loaded, so most Rails apps with frequently dying worker processes are affected. Of course dying worker processes are bad and entirely the fault of bad application/library code, not the fault of Unicorn. Thanks for Alexander Dymo for reporting this. ref: http://redmine.ruby-lang.org/issues/4579 --- lib/unicorn/http_server.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/unicorn/http_server.rb b/lib/unicorn/http_server.rb index 2706568..69feb2f 100644 --- a/lib/unicorn/http_server.rb +++ b/lib/unicorn/http_server.rb @@ -487,7 +487,11 @@ class Unicorn::HttpServer def after_fork_internal @ready_pipe.close if @ready_pipe @ready_pipe = nil - srand # http://redmine.ruby-lang.org/issues/4338 + tmp = srand # http://redmine.ruby-lang.org/issues/4338 + + # The OpenSSL PRNG is seeded with only the pid, and apps with frequently + # dying workers can recycle pids + OpenSSL::Random.seed(tmp.to_s) if defined?(OpenSSL::Random) end def spawn_missing_workers -- cgit v1.2.3-24-ge0c7