diff options
author | Eric Wong <normalperson@yhbt.net> | 2011-04-18 15:34:29 -0700 |
---|---|---|
committer | Eric Wong <normalperson@yhbt.net> | 2011-04-18 15:45:22 -0700 |
commit | 1107ede716461049033d6a5b311e14c742c9363a (patch) | |
tree | 5a121be9cbd53662ac9e643b15df85b2a52cac70 | |
parent | b32416211ef30e958ec38c8c99833161cd476dd4 (diff) | |
download | unicorn-1107ede7.tar.gz |
OpenSSL seeds its PRNG with the process ID, so if a process ID is recycled, there's a chance of indepedent workers getting repeated PRNG sequences over a long time period iff the same PID is used. This only affects deployments that meet both of the following conditions: 1) OpenSSL::Random.random_bytes is called before forking 2) worker (but not master) processes are die unexpectedly The SecureRandom module in Ruby (and Rails) uses the OpenSSL PRNG if available. SecureRandom is used by Rails and called when the application is loaded, so most Rails apps with frequently dying worker processes are affected. Of course dying worker processes are bad and entirely the fault of bad application/library code, not the fault of Unicorn. Thanks for Alexander Dymo for reporting this. ref: http://redmine.ruby-lang.org/issues/4579
-rw-r--r-- | lib/unicorn/http_server.rb | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/unicorn/http_server.rb b/lib/unicorn/http_server.rb index 2706568..69feb2f 100644 --- a/lib/unicorn/http_server.rb +++ b/lib/unicorn/http_server.rb @@ -487,7 +487,11 @@ class Unicorn::HttpServer def after_fork_internal @ready_pipe.close if @ready_pipe @ready_pipe = nil - srand # http://redmine.ruby-lang.org/issues/4338 + tmp = srand # http://redmine.ruby-lang.org/issues/4338 + + # The OpenSSL PRNG is seeded with only the pid, and apps with frequently + # dying workers can recycle pids + OpenSSL::Random.seed(tmp.to_s) if defined?(OpenSSL::Random) end def spawn_missing_workers |