Re: Errors after upgrading to OpenSSL 0.9.5

Tue, 29 Feb 2000 03:01:56 -0800 

On Tue, Feb 29, 2000 at 01:08:39AM -0500, Peter Avalos wrote:
> After upgrading from OpenSSL 0.9.4 to 0.9.5, I get this error when trying to
> start apache:
> [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key
> 
> I can't find any information about this error.
> 
> Here's some info about my webserver:
> [notice] Apache/1.3.12 (Unix) PHP/3.0.15 mod_ssl/2.6.0 OpenSSL/0.9.4
> 
> BSD/OS xenon 4.0.1 BSDI BSD/OS 4.0.1 Kernel #2: Tue Feb 22 22:50:55 PST 2000
> pavalos@xenon:/usr/src/sys/compile/XENON  i386

Hi,

I just experienced the same problem (but I have been prepared :-)
OpenSSL 0.9.5 is more picky about the correct seeding of the PRNG
(pseudo random number generator). It seems (did not check this out *) that the
internal seed generation
 SSLRandomSeed startup builtin
is not good enough anymore (not enough entropy bits).
You must now explicetly seed the PRNG as decribed. Since you have a BSD
derivative you might have a /dev/urandom device. Use
 SSLRandomSeed startup file:/dev/urandom 512
If you don't have one, you must load entropy bits from another source.
Specify a file containing random bits as in
 SSLRandomSeed startup file:/etc/postfix/random_file 1024
I recommend obtaining EGD (described in the OpenSSL 0.9.5 docs) in this case.
It includes a sample script egc.pl, so that you can
 perl5 egc.pl /var/run/egd-pool read 255 > /etc/postfix/random_file
before starting apache.
Of course, your filenames will be different :-)

Since 0.9.5 includes support for EGD, Ralf should consider including a
 SSLRandomSeed startup egd:/path/to/egd-socket
feature into mod_ssl.

Best regards,
        Lutz

(*) I did not trace the mod_ssl startup, but after seeding the PRNG as
described, Apache/mod_ssl started up fine. Hence I am quite confident that
my guess is not too far off.
(Note) When /dev/urandom is available, the OpenSSL-library might use it
for additional seeding directly without ask anybody about it. So probably
you don't have /dev/urandom and users of Linux (and some other OS) will not
be able to reproduce this effect.
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to