Last couple of days I was trying to wrap my head around a problem with the Ubuntu Citrix wfica client connecting to a Secure Gateway.
Sometimes it was “loading” quite fast and sometimes it was taking up to 30 sec to start connecting the target server. The wfica process was listed as running but no https requests were initiated. The root cause for the unpredictable launch times was so called entropy depletion. Citrix wfica client needs random data to start the SSL connection and it relies on /dev/random to collect those.
/dev/random uses keyboard, mouse and IDE activities for entropy sources and apparently my entropy pool was not providing enough data.
The size of my pool (/proc/sys/kernel/random/entropy_avail) was almost always below 200.
So how we deal with the problem?
Dirty cheat – kind of security compromise
One quick fix for the issue is to use /dev/urandom instead of /dev/random. That could be done by simply creating a link as follows (PLEASE NOTE THAT YOU ARE BACKING UP /dev/ranodm first)
mv /dev/random /dev/random_bck
ln -sf /dev/urand
NOTE: /dev/urandom is considered to produce data with less entropy and respectively more predictable “random” key used for your SSL communication (more info about SSL/TLS handshake in this SANS whitepaper)
Another approach – feeding the hungry pool
There is an option to use audio and video devices as an entropy source. More information on that one here.
Leave a Reply