mod_chroot + cURL and SSL leads to extremely slow performance

I’ve been fighting this problem for months now. When using cURL to connect to a API over SSL in my chroot’d web server, the application appeared to hang perpetually. After additional investigation, I discovered that it eventually get’s the content but takes FOREVER to finish (approximately an hour). Restarting Apache without mod_chroot and everything works as expected. So I definitely had a problem with my jail.

Common cause of SSL/cURL/chroot was misplaced certificates or missing libraries. As stated in my article about creating a chroot’d environment for apache, strace is your pal. I ran a few straces and was noticing the following at the point of connecting to the API:

6923 waitpid(-1, 0xbfdb0248, WNOHANG|WSTOPPED) = 0 6923 select(0, NULL, NULL, NULL, {1, 0}) = 0 (Timeout) 6923 waitpid(-1, 0xbfdb0248, WNOHANG|WSTOPPED) = 0 6923 select(0, NULL, NULL, NULL, {1, 0}) = 0 (Timeout) 6923 waitpid(-1, 0xbfdb0248, WNOHANG|WSTOPPED) = 0 6923 select(0, NULL, NULL, NULL, {1, 0}) = 0 (Timeout) 6923 waitpid(-1, 0xbfdb0248, WNOHANG|WSTOPPED) = 0 6923 select(0, NULL, NULL, NULL, {1, 0}) = 0 (Timeout) 6923 waitpid(-1, 0xbfdb0248, WNOHANG|WSTOPPED) = 0 6923 select(0, NULL, NULL, NULL, {1, 0}) = 0 (Timeout) 6923 waitpid(-1, 0xbfdb0248, WNOHANG|WSTOPPED) = 0

All libraries seem to be available, and didn’t notice any ‘bad’ messages in the strace so I was officially stuck. I posted a few mails to the cURL list as well as the mod_chroot list. Finally I got the answer that saved the day. /dev/urandom! Well, I had urandom in the jail, but the entropy was not good. I originally set it a 1, 8 but should be 1, 9. Not sure where I got the 1, 8, because my non-jail urandom was definitely 1, 9.

My urandom was visible plain as day in the strace as well:

6926 stat64("/dev/urandom", {st_mode=S_IFCHR|0444, st_rdev=makedev(1, 8), ...}) = 0

Resetting this to 1, 9 and everything worked great! I updated the original article to reflect this discovery. Hope this helps someone.