Lutz,
Well sometimes installing additional software is not acceptable as was in my case. Do you have any other suggesstions for people like me? We ship a product that uses OpenSSL and we don't want to install 3rd party apps. While Soo Hom just wants to create certificates with the openssl tool, what would you suggest be done if programatically to generate random bytes if we cannot install a PRNG emulation package? Thanks.
- Andrew
> -----Original Message-----
> From: Lutz Jaenicke [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, November 28, 2001 5:27 AM
> To: [EMAIL PROTECTED]
> Subject: Re: certificate problem
>
>
> On Wed, Nov 28, 2001 at 08:47:13AM +0100,
> [EMAIL PROTECTED] wrote:
> > Solaris does not support the device /dev/urandom which is
> necessary to
> > seed the PRNG by default. You can either install a package which
> > emulate /dev/urandom or seed the PRNG
> > manually by the following commands :
> >
> > unsigned char seed_buffer [1024] ;
> >
> > RAND_pseudo_byte(seed_buffer, 1024) ;
> > RAND_seed(seed_buffer, 1024) ;
> > ...
> > RSA_generate_key(...)
>
>
> This, with all due respect, is no good advice. Depending on
> the platform (and maybe even compiler settings), the buffer
> may be memset to 0. Generating pseudo bytes from it will mix
> in the PID and have the pool mixed. That might look random,
> but finally (if somebody finds out your method), the
> generated keys are weak. I strongly suggest using using one
> of the alternative PRNG sources described in the FAQ.
>
> Best regards,
> Lutz
> --
> Lutz Jaenicke
> [EMAIL PROTECTED]
> BTU Cottbus
> http://www.aet.TU-> Cottbus.DE/personen/jaenicke/
> Lehrstuhl
> Allgemeine
> Elektrotechnik Tel. +49 355 69-4129
> Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49
> 355 69-4153
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
