Start by running something like this before you do other SSL stuff:
time_t seed[64];
for (int ii = 0; ii < 64; ii++)
{
time_t t = time (NULL);
seed[ii] = t;
}
RAND_seed (seed, 64 * sizeof (time_t));
You'll might get 64 quantities all the same in the see array because the
routine will complete in less time than the granularity of the 'time'
function can measure, but it's still a random pile of bits and it completes
very quickly.
Some out there may hate this because it's not "random enough", but solutions
like "RAND_screen()" take FOREVER (about 20 seconds on my 500MHz PIII).
RAND_screen() is an option, though, and if you poke around you'll see lots
of different solutions for seeding the pseudo random number generator
(PRNG).
-----Original Message-----
From: Braun Brelin [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 20, 2000 11:25 AM
To: [EMAIL PROTECTED]
Subject: Cipher question...
Hello,
I'm getting errors of the following sort
between my client and the s_server
running under the openssl app...
(Note: Using latest OpenSSL 0.95a on a
SPARCstation 5 running Solaris 2.6).
15894:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not
seeded:m
d_rand.c:538:
15894:error:05067003:Diffie-Hellman routines:DH_generate_key:BN
lib:dh_key.c:148
:
15894:error:14098005:SSL routines:SSL3_SEND_CLIENT_KEY_EXCHANGE:bad asn1
object
header:s3_clnt.c:1405:
I know that the first one is probably
caused by my not having the Sun patch for /dev/random. However, is this
what's causing the other errors? I'd not be inclined to think so, since I
can use the mincli.pl example from
Net::SSLeay.pm and it will correctly pick up a cipher from the server.
Since the error seemed to be associated with the SSL V3 protocol, I changed
from SSL_v23_method() to using SSL_v2_method().
This got rid of the two bottom errors, but the server now got the following
error:
14966:error:1406B0FD:SSL routines:GET_CLIENT_MASTER_KEY:unknown remote error
typ
e:s2_pkt.c:586:
The SSL server is using a dummy certificate
(i.e. one I made up) rather than a "real" certificate from a third-party, or
a CA server.
Any thoughts appreciated...
Please e-mail me direct since I'm not on the
mailing list: [EMAIL PROTECTED]
Thanks,
Braun Brelin
[EMAIL PROTECTED]
--== Sent via Deja.com http://www.deja.com/ ==--
Before you buy.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
