Frustrated mod-ssl installer, There is an answer for you! If you have gotten the an error similar to 18026:error:24064064:random number generator:SSLEAY_RAND_BYTES:prng not seeded:md_rand.c:470: when running mkcert.sh (make certificate does this with apache 1.3.12; mod-ssl-2.6.2-1.3.12; and openssl-0.9.5) do not dispair, do not delve into the source for openssl, do not use truss to trace the executaion of openssl (as did Csaba.Sudar and I did) and do not look for the answer in the FAQ's of either mod-ssl or openssl (both of which explicitly mention the exact problem and give you a solution that will NOT work). These ARE useful FAQ's and should be explored for other problems, just not this one. Setting the environment variable RANDFILE to ~/.rnd and populating this file with random data will NOT fix this problem. You are not an idiot. The problem is known and there is an answer. First no that the application 'openssl', part of openssl-0.9.5, is broken for rsa generation on systems that do not have /dev/urandom. See this thred in the openssl-dev mailing list: http://www.mail-archive.com/openssl-dev@openssl.org/msg04576.html & http://www.mail-archive.com/openssl-dev@openssl.org/msg04577.html This refers to a developement version of openssl ftp://ftp.openssl.org/snapshot;type=d in which a patch has been applied to fix this problem. For completness I will include below a portion of the discuss I have had with Bodo Moeller and Lutz Jaenicke (read all or go to bottom for the actual patch as given by Bodo Moeller): I need to point out that the developement of the openssl package is done by volunteers, and that I really appreciate the time and effort that has gone into this product. I would also like to suggest that the developers quickly add this patch to a service release for 0.9.5 and that they immediately change the FAQ to include a pointer to the thred mentioned above. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= On Thu, Mar 16, 2000 at 09:47:09AM -0500, Steve Parker wrote: > Some broken applications do not do this. One of these is openssl itself, when > using the rsa option. Get the newest version of openssl, 0.9.6, to fix this. Later Thu, Mar 16, 2000 Lutz replied: The rsa command as distributed with OpenSSL 0.9.5 is broken. It has been fixed and the fix will be in the next release. > OK, now for my piece-of-mind, where is the CVS repository? > For what does CVS stand? CVS is the Concurrent Version System. It is used to administrate the source code and its changes. It is a great tool, I use it for my own Finite Element software. You can access it from the OpenSSL homepage. Go to Downloads and there on top you will find the CVSweb access. It however only helps you, when you know what you are looking for. With regard to the discussion: We could have discussed this in openssl-users. I receive all of the openssl-* lists and I didn't note the fix before, even though this was discussed in openssl-dev just last weekend (Thread: 'prng not seeded' error when changeing RSA private key password, I just checked my archive) and probably already in another thread before that. Anyway. The PRNG seeding item is an important one and topics have been discussed repeatedly on openssl-* and modssl-*. Solving some of these problems requires fixing broken applications. Some others, like the one we just discussed, is a question of OpenSSL itself. As far as I have seen on the openssl-cvs list (all source code changes), not too many development changes have been made in the meantime, rather bug-fixes and compatibility issues. Hence, the OpenSSL developers team should consider (and I remember some comment about that already) to prepare a "maintainance release" taking care of these items. Otherwise it is hard to say where the difference is between OpenSSL internal weaknesses and broken applications. Let me finally point out, that you get what you pay for :-) OpenSSL (as mod_ssl etc) is done by a bunch of volunteers, (hopefully) having fun while doing it. Best regards, Lutz AND FROM BODO: On Thu, Mar 16, 2000 at 11:38:54AM +0100, Lutz Jaenicke wrote: > So, with regard to the dates, it is already fixed in the CVS repository > and Steve can either apply the patch above to his OpenSSL-0.9.5 _or_ > use a latest snapshot. Yes. > Adding a "-rand" option to rsa.c is not strictly necessary, as the problem > is solved differently, what about adding a app_RAND_load_file(NULL,...) > to rsa.c (and maybe others) anyway? As I said I'm considering this, it's just that this adds some complexity to the apps (and thus takes some time to write) because I don't want the application to waste time seeding the PRNG when it is not used at all. Actually in OpenSSL 0.9.4 even some of those programs that need strong random numbers did not seed the PRNG (s_client, s_server). "openssl rsa" in 0.9.5 errs on the safe said when it complains about insufficient seeding. This *is* a lot better than the total situation in the previous release, it's just that no-one noticed because OpenSSL was silent about the PRNG. AND EARLIER FROM BODO: On Thu, Mar 16, 2000 at 10:51:26AM +0100, Lutz Jaenicke wrote: > apps/rsa.c does not call app_RAND_load_file(NULL,...), so that the > RANDFILE is never evaluated. [...] > Finally, the problem must be solved by either adding a "-rand" option > and/or adding a app_RAND_load_file(NULL,...) call to _all_ applications > in the original OpenSSL release. (I just checked CVSweb, the problem is > not solved as of now.) The problem with apps/rsa.c is solved in that the previously failing function now uses weakly pseudorandom bytes (i.e. RAND_pseudo_bytes instaed of RAND_bytes; the former just discards the "PRNG not seeded" error message). RAND_bytes was used for generating encryption IVs; but unpredictability is not crucial here, the value will be public anyway. Adding additional seeding from RANDFILE might still be better (an attacker who knows in advance when you are going to encrypt your key might start to encrypt the expected IVs with all possible keys before you've even called that program, i.e. if he has huge storage facilities he can gain some time -- of course noone has enough storage for all keys if you use -idea or -des3, so this is just a theoretical concern); but it is not strictly necessary. > Actually I don't find it really clever, if a software runs on one platform > and not on the other one, when both were compiled using the standard > "configure", since on the one platform something happens "magically". > This is not meant as an offense, but it will make tracking down error > messages from users difficult. I discussed this with the other developers, and it was noted quite correctly that "It it perfectly reasonable to use the PRNG on Linux without adding any external data, while requiring say a command line option specifying a seed file on platforms without /dev/random." (I also pointed out that people using only FreeBSD or Linux for development should change the DEVRANDOM definition in e_os.h to "/dev/null" for thorough tests.) Obviously that bug for "openssl rsa" was not part of our plans :-) The patch is as follows: Index: pem_lib.c =================================================================== RCS file: /usr/local/openssl/cvs/openssl/crypto/pem/pem_lib.c,v retrieving revision 1.27 retrieving revision 1.29 diff -u -u -r1.27 -r1.29 --- pem_lib.c 2000/02/23 01:10:57 1.27 +++ pem_lib.c 2000/03/03 07:51:24 1.29 @@ -373,7 +373,7 @@ kstr=(unsigned char *)buf; } RAND_add(data,i,0);/* put in the RSA key. */ - if (RAND_bytes(iv,8) <= 0) /* Generate a salt */ + if (RAND_pseudo_bytes(iv,8) < 0) /* Generate a salt */ goto err; /* The 'iv' is used as the iv and as a salt. It is * NOT taken from the BytesToKey function */ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
