On Tue, Feb 12, 2002 at 05:11:13PM -0500, POLIVKA-ROHRER, KEITH W (AIT) wrote:
> [I said:]
> > > dies with the "PRNG not seeded" error).
> > >
> > > The only way to clear this condition (which only happens for new
> > > installations) is to invoke the openssl command line, do a
> > req -new, and
> > > then I can genrsa in the future with that installation.
>
> [Lutz replied:]
> > Anyway it does not make much sense to me. openssl req -new
> > should fail with
> > the same problem (as long as no key is supplied with the -key option).
> > Of course you can always modify your script and add a "-rand"
> > option to
> > point to some source of randomness.
>
> I tracked it down to openssl sometimes using ~/.rnd and sometimes using the
> RANDFILE value in the openssl.cnf. I export OPENSSL_CONF as the full path
> of the openssl.cnf file I want, set $dir at the global level of that file,
> set RANDFILE=$dir/../keys/.rand on the very next line (still global), so I'm
> pretty sure I'm specifying everything right. But I've added a -rand flag to
> my script that calls genrsa, so hopefully it will get the clue now.
>
> It's only the openssl command line (not the shell command line) version of
> req -new that fixes ~/.rnd given a valid $RANDFILE; apparently all the rest
> of the options use one file or the other... Note that I did restate
> RANDFILE (same value) in my CA_Default section, but in any case the global
> value should be in effect, right?
I am not quite sure about the difference between the openssl command line
version of "req" and the shell command line version of "req" (if there
is any, the default build is using the monolitic executable only). In fact
they should behave the same.
What should be looked at is the initialization of the random number
generator using the built in init routines. A "grep app_RAND_load *.c"
in apps/ shows, that the two functions "app_RAND_load_file" (without 's')
and "app_RAND_load_files" (with 's') are called in different ways for
the different applications. Probably this will explain why the behaviour
is different for you (and maybe most people won't ever note, because
they do have /dev/urandom :-)
I cannot make any promise about a schedule, but it should be possible
to make the behaviour unique before the release of 0.9.7.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
