I have to admit that I am just putting my 2 cents in at the tail of this
discussion, and I did miss some of the earlier posts in
this thread, but my recent experience with OpenSSL client coding may shed
some light here.
The project involved an https load generator - primarily used for
correctness testing of another project. I had the worst
time getting the initial handshake to work. The dreaded 'PRNG not
seeded' message kept plaguing me. Finally I did about
a hundred searches on the openssl-users list archives (no, it isn't in
the FAQ), and found that 0.9.5 and later have some
problem seeding the handshake values if /dev/urandom does not exist (like
on Solaris 2.7). The entries I found said that the
current snapshots should fix it (and yes, it is a bug). I also found
that a co-worker had no problem with his client and server
code, but he was using 0.9.4. So I built and installed 0.9.4, 0.9.5a,
and the snapshot from 6/27/2000. Then just linked the one
I wanted to use to /usr/local/ssl, which my code linked through. Here is
what I found:
My code miraculously worked without modification when building against
0.9.4.
0.9.5a and the snapshot broke the same code at the handshake, giving the
'PRNG not seeded' message.
After this, I went back to the output saved from all three builds. 0.9.4
ran through the tests without a hitch. 0.9.5a and the
snapshot came up with the 'not seeded with enough data' message during
the cert creation and translation tests and
suggested that I set the RANDFILE environment variable - which helped
exactly squat.
My solution: use 0.9.4 until a new release of OpenSSL comes out that can
handle a system without /dev/urandom. I have
no idea how to get around that without hacking the system - which is not
an option. Our code will have to run on systems
that may or may not have the /dev/urandom device, so I can't use
something that relies on it.
Maybe stunnel isn't the problem? Try building it against 0.9.4. Just
for Yuks.
Louis LeBlanc
Richard Levitte - VMS Whacker wrote:
> From: Lutz Jaenicke <[EMAIL PROTECTED]>
>
> Lutz.Jaenicke> To the OpenSSL-Administrators: please update the
> Lutz.Jaenicke> stunnel entry (considering this to be the new official
> Lutz.Jaenicke> home of stunnel!?).
>
> *clicketiclick*
>
> --
> Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED]
> Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47
> Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10
> Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED]
> Member of the OpenSSL development team: http://www.openssl.org/
> Software Engineer, Celo Communications: http://www.celocom.com/
>
> Unsolicited commercial email is subject to an archival fee of $400.
> See <http://www.stacken.kth.se/~levitte/mail/> for more info.
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
