Hi, Lutz Jaenicke, you wrote:
> Date: Mon, 15 May 2000 10:12:23 +0200
> Subject: Re: OpenSSL with EGD?
> It is hard to say what is going wrong from your description...
> 1. Check that EGD is actually running and supplying entropy. Use the "epc.pl"
> tool included in the EGD source package to check out the socket.
Okay, after doing step #3 below, I did this and it shows that EGD is working
fine.
> 2. The RAND_egd() function does not give any diagnostic output.
> Print out the return value to see whether it is "-1" (error condition)
> or a positive number. The positive number is the number of entropy
> bytes obtained (255 is the maximum you can get from EGD with one query).
Okay, I haven't done this, yet, but still have the question about where to put
the RAND_egd() call -- was it intended to replace existing RAND_seed() calls?
Or is it intended to supplement them? Or is it supposed to be called before
anything else?
> 3. $HOME/.rnd is the name of the PRNG support file used by the OpenSSL
> library to store seed information. Don't mix it with the EGD socket
> and use another name for the socket.
Thank you very much for this correction. Somehow I'd gotten the notion that
.rnd was supposed to be the socket. I've since fixed this
> 4. I am a bit confused about your "$HOME/.rnd" notion. This implies that you
> either have only one user to take care about and the service is just for
> him. Otherwise, the user name is only known when the TLS handshaking
> is already completed and the seeding is already too late.
Good point, and sorry I confused you with my confusion!
While it is true that right now I have only root running and care only about
that for testing purposes (the system under discussion will be rebuilt shortly
with Digital UNIX 5.0), the info in #3 combined with new information in
egc-0.8 (released just yesterday, btw) showed me what was intended for the
socket (egd recommends /etc/entropy).
I just haven't discovered whether the RAND_egd() changes need to be made to
openssl code, stunnel code, or both. Any further pointers greatly
appreciated.
> > I didn't find anything in stunnel that seemed to indicate the changes needed
> > to be there (I don't see any RAND_seed() or RAND_add() calls at all in the
> > stunnel sources).
> I don't know about Michal Trojnara's intentions.
> The release of stunnel 3.8 predates the release of OpenSSL 0.9.5 (the first
> release forcing correct seeding of the PRNG) by 4 days, so probably stunnel
> is not yet aware of that change. Please contact Michal and kindly ask him
> for an update of his widly used package.
Thanks very much, I'll try that tonight...
--
Allen J. Newton ([EMAIL PROTECTED]) -- Team *AMIGA*
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
