error:24064064: PRNG not seeded on one intel processor model
Hi all, I have a FIPS application based on openssl-fips 2.0.2 and openssl-1.0.1c. It worked fine a year ago and still works on most server platforms except one. The server model number has not change, but the cpu inside has changed from Intel Xeon E3-1220, Family 6 Model 42, sandy bridge, to E3-1220v2 Family 6 Model 58, ivy bridge. The company who helped us developed the FIPS shared lib track the failure to fips_get_entropy(), but can't tell why it fails in the ivy bridge processor, but not in other older processors. They patched a known problem http://rt.openssl.org/Ticket/Display.html?id=2786user=guestpass=guest. That change bring us a step further but landed on FIPS_mode_set(1) fail with PRNG not seeded. Can anyone shed some light on why my application fail on server with the ivy bridge cpu? Perhaps another question is what do I have to do to seed PRNG? There is one more clue. My application previously initialized openssl in this order: 1. OpenSSL_add_all_algorithms() 2. FIPS_mode_set(1) I thought may be the order is wrong so switch them around. Well the application works, on E3-1220, on E3-1220v2 and all the other servers. Is this the correct sequence to initialize openssl-fips? If true, how come the wrong sequence does not fail on other processors? Thanks for help. sialnije
Windows 2003 PRNG not seeded
We have an application that link to link point, it uses open ssl and It is always giving us get a PRNG not seeded How can we solve it Thanks for help ___ Shadi Jawhar Web Master - Manager - Premium IT Services Ras El Nabih, Beirut, Lebanon D:961-3-997488 | mailto:webmas...@0 webmas...@premiumitservices.com blocked::http://www.almustaqbal.com/ http://www.almustaqbal.com Web Master - Al Mustaqbal NewsPaper Ramle il Bayda, Beirut, Lebanon D:961-1-797-779 ext 164 | blocked::mailto:sjaw...@almustaqbal.com.lb sjaw...@almustaqbal.com.lb blocked::http://www.almustaqbal.com/ http://www.almustaqbal.com University Instructor - IPNET Jnah, Beirut, Lebanon D:961-1-833-339 | blocked::mailto:shadi_jaw...@hotmail.com shadi_jaw...@hotmail.com blocked::http://www.ipnet.edu.lb/ http://www.ipnet.edu.lb PHD Student - Rennes University - Equipe d'Armor 35042 Rennes Cedex France M:033-6-25319169 | mailto:sjaw...@irisa.fr sjaw...@irisa.fr http://www.irisa.fr/armor/Armor-Ext/Equipe.htm http://www.irisa.fr/armor/Armor-Ext/Equipe.htm
Re: Windows 2003 PRNG not seeded
That's OpenSSL FAQ #1: http://www.openssl.org/support/faq.html#USER1 On Thu, Mar 12, 2009 at 4:49 PM, Shadi Jawhar (IM) shadi_jaw...@hotmail.com wrote: We have an application that link to link point, it uses open ssl and It is always giving us get a PRNG not seeded How can we solve it -- Met vriendelijke groeten / Best regards, Ger Hobbelt -- web:http://www.hobbelt.com/ http://www.hebbut.net/ mail: g...@hobbelt.com mobile: +31-6-11 120 978 -- __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: ERROR in openssl 0.9.8a: PRNG not seeded
Sundaram, Balaji (MSB) wrote: Hi all, We are migrating from openssl 0.9.7g to 0.9.8a. During this migration we are getting the following error. This error appears in Solaris 7 and HP-UX 11.0 platforms. But the same works in Solaris 8 and Linux platforms. In solaris 8, we found that /dev/random and /dev/urandom files exist. But in case of Solaris 7 these files are not Hi, go to http://www.sunfreeware.com/ - there you'll find needed patches for Solaris. -- Best Regards, Massimiliano Pala --o Massimiliano Pala [OpenCA Project Manager] [EMAIL PROTECTED] Tel.: +39 (0)11 564 7081 http://security.polito.it Fax:+39 178 270 2077 Mobile: +39 (0)347 7222 365 Politecnico di Torino (EuroPKI) Certification Authority Informations: Authority Access Point http://ca.polito.it Authority's Certificate: http://ca.polito.it/ca_cert/en_index.html Certificate Revocation List: http://ca.polito.it/crl02/crl.crl --o smime.p7s Description: S/MIME Cryptographic Signature
ERROR in openssl 0.9.8a: PRNG not seeded
Hi all, We are migrating from openssl 0.9.7g to 0.9.8a. During this migration we are getting the following error. This error appears in Solaris 7 and HP-UX 11.0 platforms. But the same works in Solaris 8 and Linux platforms. In solaris 8, we found that /dev/random and /dev/urandom files exist. But in case of Solaris 7 these files are not present. In the same solaris 7 machine openssl 0.9.7g does not give this error. Does 0.9.8a support Solaris 7, HP-UX 11.0 platforms? Could anyone suggest what the solution is? Thanks in advance. Regards, Balaji --- Country Name (2 letter code) [AU]:AUOrganization Name (eg, company) []:Dodgy BrothersCommon Name (eg, YOUR name) []:Dodgy CAconvert the certificate request into a self signed certificate using 'x509'unable to load 'random state'This means that the random number generator has not been seededwith much random data.Consider setting the RANDFILE environment variable to point at a file that'random' data can be kept in (the file will be overwritten).Signature oksubject=/C=AU/O=Dodgy Brothers/CN=Dodgy CAGetting Private key6215:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:503:You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html6215:error:04088003:rsa routines:RSA_setup_blinding:BN lib:rsa_lib.c:407:6215:error:04066044:rsa routines:RSA_EAY_PRIVATE_ENCRYPT:internal error:rsa_eay.c:364:6215:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP lib:a_sign.c:276:error using 'x509' to self sign a certificate request*** Error code 1make: Fatal error: Command failed for target `test_ss'Current working directory /DE/security/external/openssl/SunOS5.7/openssl-0.9.8a/test*** Error code 1make: Fatal error: Command failed for target `tests' openssl build complete.
PRNG not seeded on 0.9.8
Hi, OpenSSL 0.9.7 works with the following command. % env HOME=/ /usr/local/ssl097/bin/openssl genrsa 512 Generating RSA private key, 512 bit long modulus .. . unable to write 'random state' e is 65537 (0x10001) -BEGIN RSA PRIVATE KEY- MIIBOwIBAAJBAM3frGlqKZMS0ssaPODGd/OYXzVszIFqwtMofmG48+lYt4QxMoJX n0StSxfyj7qcTcYQ17wOJixseuHMFtUDWtkCAwEAAQJAchsbEIJK8L1qIDA2tc7L BTTa8F2RK9nkiezTv44ngpkuNGspfIuQAlJzK06g1bYpxPiiOWud+MhVWl4BxeM+ EQIhAPiH8uEQuFC3NRoeUx1Gbud14NygR/kbtZuwQlh5WvH7AiEA1A+LYM9SJRlV pawdJga/fNf+UIMNTjb7KbX0VOzq4jsCIATZqlzIFcDFgozK8LZOjJWJ0GSd4Cm1 Z7rtGq5dV/AHAiEAw7hhFIXktBbw5Iq5EGqz+37C2v5JnoHCSFoGWwebNhcCIQCu sL48EEGQJcmwwJy3Wm+m8/zAWD4fjLo0q4FxpTzk8g== -END RSA PRIVATE KEY- But 0.9.8 fails. % env HOME=/ /usr/local/ssl098/bin/openssl genrsa 512 warning, not much extra random data, consider using the -rand option Generating RSA private key, 512 bit long modulus 28601:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:503:You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html 28601:error:04081003:rsa routines:RSA_BUILTIN_KEYGEN:BN lib:rsa_gen.c:183: Is this intended behavior? -- gotoyuzo __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: PRNG not seeded on 0.9.8
[EMAIL PROTECTED]:rand diff rand_unix.c~ rand_unix.c 156c156 static const char *randomfiles[] = { DEVRANDOM }; --- static const char *randomfiles[] = { DEVRANDOM }; Peter Waltenberg GOTOU Yuuzou [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 17/06/2005 05:21 PM Please respond to openssl-dev To openssl-dev@openssl.org cc Subject PRNG not seeded on 0.9.8 Hi, OpenSSL 0.9.7 works with the following command. % env HOME=/ /usr/local/ssl097/bin/openssl genrsa 512 Generating RSA private key, 512 bit long modulus .. . unable to write 'random state' e is 65537 (0x10001) -BEGIN RSA PRIVATE KEY- MIIBOwIBAAJBAM3frGlqKZMS0ssaPODGd/OYXzVszIFqwtMofmG48+lYt4QxMoJX n0StSxfyj7qcTcYQ17wOJixseuHMFtUDWtkCAwEAAQJAchsbEIJK8L1qIDA2tc7L BTTa8F2RK9nkiezTv44ngpkuNGspfIuQAlJzK06g1bYpxPiiOWud+MhVWl4BxeM+ EQIhAPiH8uEQuFC3NRoeUx1Gbud14NygR/kbtZuwQlh5WvH7AiEA1A+LYM9SJRlV pawdJga/fNf+UIMNTjb7KbX0VOzq4jsCIATZqlzIFcDFgozK8LZOjJWJ0GSd4Cm1 Z7rtGq5dV/AHAiEAw7hhFIXktBbw5Iq5EGqz+37C2v5JnoHCSFoGWwebNhcCIQCu sL48EEGQJcmwwJy3Wm+m8/zAWD4fjLo0q4FxpTzk8g== -END RSA PRIVATE KEY- But 0.9.8 fails. % env HOME=/ /usr/local/ssl098/bin/openssl genrsa 512 warning, not much extra random data, consider using the -rand option Generating RSA private key, 512 bit long modulus 28601:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:503:You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html 28601:error:04081003:rsa routines:RSA_BUILTIN_KEYGEN:BN lib:rsa_gen.c:183: Is this intended behavior? -- gotoyuzo __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
RE: prng not seeded problem
which is where I am where this is bombing. I'm getting the dreaded unable to write key 21093:error:24064064:random number generator:SSLEAY_RAND_BYTES:prng not seeded:md_rand.c:470: error message when installing mod_ssl. I have a /.rnd file, which is what the mod_ssl docs say is what you make to solve this error. I ran the mkcert.sh script that the mod_ssl setup is using with -x; where it's bombing is with the following command: Install the entropy daemon mentioned in the docs. You need to get a /dev/urandom or the like. If you search the docs, you can find a reference. I installed the entropy daemon that is mentioned on a system very similar to yours and it worked out nicely. Cheers, Craig Skelton /* ___ _ ( \ (_) | | ) ) _ _ | | ___ ___ | __ ( / ___) |/ || |/ _ |/ _ )/___)/ ___) _ \|\ | |__) ) | | ( (_| ( ( | ( (/ /|___ ( (__| |_| | | | | |__/|_| |_|\|\_|| |\|___(_))___/|_|_|_| (_| */ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
prng not seeded problem
When you install mod_ssl with apache one of the steps is make certificate which is where I am where this is bombing. I'm getting the dreaded unable to write key 21093:error:24064064:random number generator:SSLEAY_RAND_BYTES:prng not seeded:md_rand.c:470: error message when installing mod_ssl. I have a /.rnd file, which is what the mod_ssl docs say is what you make to solve this error. I ran the mkcert.sh script that the mod_ssl setup is using with -x; where it's bombing is with the following command: /usr/local/bin/openssl rsa -des3 -in ../conf/ssl.key/server.key -out ../conf/ssl.key/server.key.crypt After this failure the ls for those two files is as follows: 2 -r--r--r-- 1 root root 887 May 15 16:22 ssl.key/server.key 0 -rw--- 1 root other 0 May 15 16:23 ssl.key/server.key.crypt I've posted this query to the openssl mailing list but no one has responded so I'm guessing it's a new bug. The FAQ for openssl doesn't give any clues as to how to handle this error. apache_1.3.12 mod_ssl-2.6.4-1.3.12 solaris 5.7 (sparc) gcc 2.95.2 OpenSSL 0.9.5 28 Feb 2000 built on: Mon May 15 12:18:43 PDT 2000 platform: solaris-sparcv9-gcc options: bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long) idea(int) blowfish(ptr) compiler: gcc -DTHREADS -D_REENTRANT -fPIC -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC -DMD5_ASM __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PRNG not seeded in Window NT
Pablo J. Royo [EMAIL PROTECTED]: When I had the same problem in Win95 with PKCS7 routines I put: static const char rnd_seed[ ] = "string to make the random number generator think it has entropy"; as a global variable, then called RAND_seed(rnd_seed, sizeof rnd_seed); just after my OpenSSL_add_all_algorithms() routine, and it worked. I have seen this in ssltest.c example Obviously, you can't do this in production code. For ssltest we don't care if the PRNG isn't unpredictable, but if you want secure encryption, then you need secure random numbers. So if you add a fixed seed to be able to test initial versions of the program, you have to make very sure that you replace this by really random seedings as soon as possible. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PRNG not seeded in Window NT
Hi there, At 03:38 PM 4/4/00 +0200, you wrote: When I try to use "SSL_connect", I get also the error message "PRNG not seeded". I have read the old messages about the problem. But it seems that all the messages are about Unix/Linux, but not Windows. Someone said that with RAND_egd() can solve the problem. I have checked the code and find the following code in rand_egd.c: #if defined(WIN32) || defined(VMS) || defined(__VMS) int RAND_egd(const char *path) { return(-1); } #else ... What can I do in Windows NT? There's a function called RAND_screen() that is only implemented on WIN32 and uses the current screen contents as random seed. Not terribly good at the best of times, especially if your program runs as an NT service and the screen consists of the same log-in prompt (assuming RAND_screen() can obtain the screen context in such a circumstance, I have no idea). The other thing is wiggle the mouse a lot, handle mouse-movement events, and pipe that (and any other randomness information you can find) into; void RAND_seed(const void *buf, int num); :-) I'd advise trying to find a lot though ... perhaps kernel stats, file-IO information, network stats, etc etc. OpenSSL can only be as secure as its random-number generator, which can only be as secure as the random seed you give it. (Note, you can't replace those "can only be" phrases with "is"! :- ). Cheers, Geoff __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PRNG not seeded in Window NT
Geoff Thorpe wrote: I'd advise trying to find a lot though ... perhaps kernel stats, file-IO information, network stats, etc etc. OpenSSL can only be as secure as its random-number generator, which can only be as secure as the random seed you give it. (Note, you can't replace those "can only be" phrases with "is"! :- ). with much respect to Per Nilsson for supplying this. should/can be used in addition to suitable hardware // Random seeding modeled after Netscapes SEC package // but keeps looping, sampling the high resolution timer // and the cursor position periodically. This should be // truly random if there is any load at all on the machine. unsigned long WINAPI RandomThread(PVOID dummy) { UUID uuid; POINT pt; LARGE_INTEGER ci; MEMORYSTATUS mem; DWORD dw1,dw2,dw3,dw4; char vol[128],fs[128]; void *p; dw1=GetTickCount(); RAND_seed((unsigned char *)dw1,sizeof(dw1)); p=GetCurrentProcess(); RAND_seed((unsigned char *)p,sizeof(p)); dw1=GetCurrentProcessId(); RAND_seed((unsigned char *)dw1,sizeof(dw1)); p=GetCurrentThread(); RAND_seed((unsigned char *)p,sizeof(p)); dw1=GetCurrentThreadId(); RAND_seed((unsigned char *)dw1,sizeof(dw1)); dw1=GetLogicalDrives(); RAND_seed((unsigned char *)dw1,sizeof(dw1)); GetVolumeInformation(0,vol,sizeof(vol),dw1,dw2,dw3,fs,sizeof(fs)); RAND_seed(vol,strlen(vol)); RAND_seed(fs,strlen(fs)); RAND_seed((unsigned char *)dw1,sizeof(dw1)); RAND_seed((unsigned char *)dw2,sizeof(dw2)); RAND_seed((unsigned char *)dw3,sizeof(dw3)); GetDiskFreeSpace(0,dw1,dw2,dw3,dw4); RAND_seed((unsigned char *)dw1,sizeof(dw1)); RAND_seed((unsigned char *)dw2,sizeof(dw2)); RAND_seed((unsigned char *)dw3,sizeof(dw3)); RAND_seed((unsigned char *)dw4,sizeof(dw4)); mem.dwLength=sizeof(mem); GlobalMemoryStatus(mem); RAND_seed((unsigned char *)mem,sizeof(mem)); dw1=sizeof(vol); GetComputerName(vol,dw1); RAND_seed(vol,dw1); memset(uuid,0,sizeof(uuid)); UuidCreate(uuid); RAND_seed((unsigned char *)uuid,sizeof(uuid)); for(;;) { QueryPerformanceCounter(ci); RAND_seed((unsigned char *)ci,sizeof(ci)); GetCursorPos(pt); RAND_seed((unsigned char *)pt,sizeof(pt)); Sleep(1000); //rand_cb(gCtx); } return 0; // unreachable. but the fuction should have a return value ! } Regards Neil Costigan begin:vcard n:Costigan;Neil tel;cell:us: 650 787 7603 euro: +46.708.977.482 tel;work:us: 650 938 7600 x 204 euro: +46.8.5872.8822 x-mozilla-html:FALSE url:www.celocom.com org:A HREF="http://www.celocom.com"Celo Communications/Abrcêlo, âvi, âtum, (latin) 1,v.a. to hide something from one, to keep secret, to conceal. adr:;;444 Castro Street, Suite 1001;Mountain View;California;94041;USA version:2.1 email;internet:[EMAIL PROTECTED] note;quoted-printable:=0D=0AAlternative =0D=0A=0D=0ACelo Communications Ltd. =0D=0A5 Westland Square=0D=0ADublin 2=0D=0AIreland =0D=0A=0D=0ATel: +353 1 670 9238 =0D=0AFax: +353 1 602 3983 fn:Neil Costigan end:vcard S/MIME Cryptographic Signature
Re: PRNG not seeded in Window NT
When I had the same problem in Win95 with PKCS7 routines I put: static const char rnd_seed[ ] = "string to make the random number generator think it has entropy"; as a global variable, then called RAND_seed(rnd_seed, sizeof rnd_seed); just after my OpenSSL_add_all_algorithms() routine, and it worked. I have seen this in ssltest.c example There is a better way to do it in app_rand.c, I think. -Original Message- From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: martes 4 de abril de 2000 19:03 Subject: "PRNG not seeded" in Window NT When I try to use "SSL_connect", I get also the error message "PRNG not seeded". I have read the old messages about the problem. But it seems that all the messages are about Unix/Linux, but not Windows. Someone said that with RAND_egd() can solve the problem. I have checked the code and find the following code in rand_egd.c: #if defined(WIN32) || defined(VMS) || defined(__VMS) int RAND_egd(const char *path) { return(-1); } #else ... What can I do in Windows NT? Thanx Fred __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PRNG not seeded in Window NT
- Original Message - From: Neil Costigan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 04, 2000 8:40 AM Subject: Re: "PRNG not seeded" in Window NT Geoff Thorpe wrote: I'd advise trying to find a lot though ... perhaps kernel stats, file-IO information, network stats, etc etc. OpenSSL can only be as secure as its random-number generator, which can only be as secure as the random seed you give it. (Note, you can't replace those "can only be" phrases with "is"! :- ). with much respect to Per Nilsson for supplying this. should/can be used in addition to suitable hardware // Random seeding modeled after Netscapes SEC package // but keeps looping, sampling the high resolution timer // and the cursor position periodically. This should be // truly random if there is any load at all on the machine. unsigned long WINAPI RandomThread(PVOID dummy) { UUID uuid; POINT pt; LARGE_INTEGER ci; MEMORYSTATUS mem; DWORD dw1,dw2,dw3,dw4; char vol[128],fs[128]; void *p; dw1=GetTickCount(); RAND_seed((unsigned char *)dw1,sizeof(dw1)); p=GetCurrentProcess(); RAND_seed((unsigned char *)p,sizeof(p)); dw1=GetCurrentProcessId(); RAND_seed((unsigned char *)dw1,sizeof(dw1)); p=GetCurrentThread(); RAND_seed((unsigned char *)p,sizeof(p)); dw1=GetCurrentThreadId(); RAND_seed((unsigned char *)dw1,sizeof(dw1)); dw1=GetLogicalDrives(); RAND_seed((unsigned char *)dw1,sizeof(dw1)); GetVolumeInformation(0,vol,sizeof(vol),dw1,dw2,dw3,fs,sizeof(fs)); RAND_seed(vol,strlen(vol)); RAND_seed(fs,strlen(fs)); RAND_seed((unsigned char *)dw1,sizeof(dw1)); RAND_seed((unsigned char *)dw2,sizeof(dw2)); RAND_seed((unsigned char *)dw3,sizeof(dw3)); GetDiskFreeSpace(0,dw1,dw2,dw3,dw4); RAND_seed((unsigned char *)dw1,sizeof(dw1)); RAND_seed((unsigned char *)dw2,sizeof(dw2)); RAND_seed((unsigned char *)dw3,sizeof(dw3)); RAND_seed((unsigned char *)dw4,sizeof(dw4)); mem.dwLength=sizeof(mem); GlobalMemoryStatus(mem); RAND_seed((unsigned char *)mem,sizeof(mem)); dw1=sizeof(vol); GetComputerName(vol,dw1); RAND_seed(vol,dw1); memset(uuid,0,sizeof(uuid)); UuidCreate(uuid); RAND_seed((unsigned char *)uuid,sizeof(uuid)); for(;;) { QueryPerformanceCounter(ci); RAND_seed((unsigned char *)ci,sizeof(ci)); GetCursorPos(pt); RAND_seed((unsigned char *)pt,sizeof(pt)); Sleep(1000); //rand_cb(gCtx); } return 0; // unreachable. but the fuction should have a return value ! } Regards Neil Costigan __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: PRNG not seeded in Window NT
Hi, I also against that kind of problem. The result is that, as exsample you must only add 2 lines. static const char rnd_seed[] = "string to make the random number generator think it has entropy"; RAND_seed(rnd_seed, sizeof(rnd_seed)); . I think this resolve is always need in current version. Bye -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 04, 2000 10:38 PM To: [EMAIL PROTECTED] Subject: "PRNG not seeded" in Window NT When I try to use "SSL_connect", I get also the error message "PRNG not seeded". I have read the old messages about the problem. But it seems that all the messages are about Unix/Linux, but not Windows. Someone said that with RAND_egd() can solve the problem. I have checked the code and find the following code in rand_egd.c: #if defined(WIN32) || defined(VMS) || defined(__VMS) int RAND_egd(const char *path) { return(-1); } #else ... What can I do in Windows NT? Thanx Fred __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PRNG not seeded error message?
HamouniA I am using OpenSSL-0.9.5 with my application, and I always HamouniA get the message "PRNG not seeded" error message" when I do HamouniA an SSL_connect(). HamouniA I installed and configured edg-0.6 and gnupg-1.1.1, but I HamouniA always get the same error. Just installing edg doesn't help. You have to call RAND_egd() explicitely from within your application. That will seed the PRNG with egd data. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 Redakteur@Stacken \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PRNG not seeded error message?
On Thu, Mar 30, 2000 at 11:30:58PM +0200, Richard Levitte - VMS Whacker wrote: Just installing edg doesn't help. You have to call RAND_egd() explicitely from within your application. That will seed the PRNG with egd data. And by the way that's not just to annoy you, but OpenSSL needs some way to know where the egd socket is. Unlike /dev/urandom, egd has no standardized location in the file system. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
'prng not seeded' error when changeing RSA private key password
Description: Execution of the 'openssl rsa -des3 -in test.pem -out test-1.pem' command caused the following error: 18026:error:24064064:random number generator:SSLEAY_RAND_BYTES:prng not seeded:md_rand.c:470: I used the 'truss' utility to trace the system calls of the 'openssl rsa' and the 'openssl genrsa' commands. The log showed that the 'openssl genrsa' command opened the file specified in the RANDFILE environment variable but the 'openssl rsa' command did not open it. Environment: OpenSSL self-test report: OpenSSL 0.9.5 28 Feb 2000 OS: Solaris 2.6 built on: Fri Mar 10 13:35:31 MET 2000 platform: solaris-sparcv9-gcc27 options: bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long) idea(int) blowfish(ptr) compiler: gcc -DTHREADS -D_REENTRANT -mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC -DMD5_ASM Test passed. Csaba __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: 'prng not seeded' error when changeing RSA private key password
[EMAIL PROTECTED]: Description: Execution of the 'openssl rsa -des3 -in test.pem -out test-1.pem' command caused the following error: 18026:error:24064064:random number generator:SSLEAY_RAND_BYTES:prng not seeded:md_rand.c:470: The current development version (URL:ftp://ftp.openssl.org/snapshot;type=d) avoids this problem. The random number is used only as an encryption IV, so strong seeding is not really necessary. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
prng no seeded
Hi folks: I seen a lot of discussion about "PRNG not seeded" error message in this discussion board but no one have really explain (in detail) how to fix this. Compilation for OpenSSL 0.9.5 is a breeze and I'm able to run the program in the test directory successfully without any problem. Now I'm a little confuse about the context of RAND_* in FAQ #6. I installed both EGD as well as librand but I am still getting the random number generator has not been seeded error. Can someone explain more about how this actually works? I did the following after I have successfully compile openssl 0.9.5 % openssl s_client connect www.openssl.org:443 and I got the following error: unable to load 'random state' This means that the random number generator has not been seeded with much random data. Consider setting the RANDFILE environment variable to point at a file that 'random' data can be kept in (the file will be overwritten). CONNECTED(0004) depth=0 /C=DE/ST=Bavaria/L=Munich/O=Ralf S. Engelschall/OU=Security Services Division/CN=www.engelschall.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=DE/ST=Bavaria/L=Munich/O=Ralf S. Engelschall/OU=Security Services Division/CN=www.engelschall.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=DE/ST=Bavaria/L=Munich/O=Ralf S. Engelschall/OU=Security Services Division/CN=www.engelschall.com verify error:num=21:unable to verify the first certificate verify return:1 20013:error:24064064:random number generator:SSLEAY_RAND_BYTES:prng not seeded:md_rand.c:470: 20013:error:05067003:Diffie-Hellman routines:DH_generate_key:BN lib:dh_key.c:148: 20013:error:14098005:SSL routines:SSL3_SEND_CLIENT_KEY_EXCHANGE:bad asn1 object header:s3_clnt.c:1403: The FAQ refer that some broken application is broken and do not call the RAND_add() or RAND_seed() function. What application is this refering to? Are we talking about the webserver or the openssl app is broken? -KHY __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: prng no seeded
On Fri, Mar 03, 2000 at 11:15:57AM -0600, Hon-Yin Kok wrote: Now I'm a little confuse about the context of RAND_* in FAQ #6. I installed both EGD as well as librand but I am still getting the random number generator has not been seeded error. Can someone explain more about how this actually works? I did the following after I have successfully compile openssl 0.9.5 % openssl s_client connect www.openssl.org:443 and I got the following error: unable to load 'random state' This means that the random number generator has not been seeded with much random data. Consider setting the RANDFILE environment variable to point at a file that 'random' data can be kept in (the file will be overwritten). As of now, s_server has no "-rand" command line option to specify usage which source to use to seed the PRNG. You have to use the RANDFILE environment variable that must point to a file containing "entropy". If you don't use the variable, a default of $HOME/.rnd is used. If you have EGD, you have a script egd-0.6/eg/egc.pl. Use it with egc.pl /path/to/your/egd-socket read 255 $HOME/.rnd for initial seeding. The problem will be gone in future. (Of course check for error messages in the file.) Maybe future versions of OpenSSL will also have the "-rand" option for s_server... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: prng no seeded
On Fri, Mar 03, 2000 at 11:15:57AM -0600, Hon-Yin Kok wrote: The FAQ refer that some broken application is broken and do not call the RAND_add() or RAND_seed() function. What application is this refering to? Are we talking about the webserver or the openssl app is broken? It's referring to some third-party programs that don't seed the PRNG at all. With the openssl app, you can always create a seed file (.rnd) and use that, exactly as you should already have done with the previous versions of SSLeay and OpenSSL. The commands that have the -rand option to specify random files allow you to specify your EGD socket in exactly the same way. They will also write the PRNG state to the seed file. I suppose s_client should have the -rand option as well (in other words, while it's not broken, it is not user friendly either). __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: prng no seeded
On Fri, Mar 03, 2000 at 10:00:39PM +0100, Lutz Jaenicke wrote: Maybe future versions of OpenSSL will also have the "-rand" option for s_server... 'openssl rand -rand file:egd-socket:whatever 0' can be used to initialize $RANDFILE or $HOME/.rnd (in future versions of OpenSSL). Or 'openssl rand -rand file:egd-socket:whatever -base64 6' if you need a new Unix password. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: prng no seeded
Now I'm a little confuse about the context of RAND_* in FAQ #6. I installed both EGD as well as librand but I am still getting the random number generator has not been seeded error. Can someone explain more about how this actually works? I did the following after I have successfully compile openssl 0.9.5 % openssl s_client connect www.openssl.org:443 and I got the following error: unable to load 'random state' This means that the random number generator has not been seeded with much random data. Consider setting the RANDFILE environment variable to point at a file that 'random' data can be kept in (the file will be overwritten). See the last sentence of that message. If $RANDFILE is not set, file $HOME/.rnd will be used for seeding the PRNG. It will also be written back by those sub-programs of the openssl command that understand the -rand option -- e.g. run "openssl genrsa -rand your_egd_socket 1024" to create $HOME/.rnd, then re-try s_client. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]