On Sun, May 14, 2000 at 10:39:34PM -0600, Allen J. Newton wrote:
> Digital UNIX doesn't have a /dev/*random, so I also got the EGD perl script
> and have executed it for a time as "egd.pl $HOME/.rnd" (and whatever other
> command line options the docs said to -- anyway EGD seems to be working fine,
> makes the socket, etc).
>
> But I'm still getting the "PRNG not seeded" message in the syslog when I try
> to launch stunnel. I built openssl after installing egd (and stunnel after
> that).
>
> So far, in the docs I've read, I haven't managed to figure out what all I'm
> supposed to change to make openssl work with egd. I replaced all the
> RAND_seed()'s with RAND_egd("$HOME/.rnd"); (where $HOME is actually the home
> directory of the user, NOT the string "$HOME" -- e.g. to test it all I'm using
> root's home and doing RAND_egd("/.rnd"); after having launched egd.pl to open
> that socket).
It is hard to say what is going wrong from your description...
1. Check that EGD is actually running and supplying entropy. Use the "epc.pl"
tool included in the EGD source package to check out the socket.
2. The RAND_egd() function does not give any diagnostic output.
Print out the return value to see whether it is "-1" (error condition)
or a positive number. The positive number is the number of entropy
bytes obtained (255 is the maximum you can get from EGD with one query).
3. $HOME/.rnd is the name of the PRNG support file used by the OpenSSL
library to store seed information. Don't mix it with the EGD socket
and use another name for the socket.
4. I am a bit confused about your "$HOME/.rnd" notion. This implies that you
either have only one user to take care about and the service is just for
him. Otherwise, the user name is only known when the TLS handshaking
is already completed and the seeding is already too late.
> I didn't find anything in stunnel that seemed to indicate the changes needed
> to be there (I don't see any RAND_seed() or RAND_add() calls at all in the
> stunnel sources).
I don't know about Michal Trojnara's intentions.
The release of stunnel 3.8 predates the release of OpenSSL 0.9.5 (the first
release forcing correct seeding of the PRNG) by 4 days, so probably stunnel
is not yet aware of that change. Please contact Michal and kindly ask him
for an update of his widly used package.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
