Re: [openssl-users] DH_generate_key Hangs
1.0.2 and 1.1.0, whatever the highest letter is, are the supported releases. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] DH_generate_key Hangs
Hi Salz, I have built the 1.1.0f with vc10 ( have to move some header files) Is the OpenSSL 1.1.0f supported version ? Thanks Jason On Thu, Oct 5, 2017 at 3:31 PM, Salz, Rich wrote: > >- Compared code of RAND_poll(void) between 1.0.1 and 1.0.2 and it >seems no change > > > > Sorry, then try 1.1.0 The HEAPWALK bug/issue is fixed there. > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] DH_generate_key Hangs
Hi Jeff, Checked https://rt.openssl.org/Ticket/Display.html?id=2100&user= guest&pass=guest and it seems exactly the same issue I have. I have moved to 1.0.1c. One question is where can I find the patch ? I have the built environment and I can build myself. Thanks for the help Jason On Thu, Oct 5, 2017 at 3:37 PM, Jeffrey Walton wrote: > On Thu, Oct 5, 2017 at 3:27 PM, Jason Qian via openssl-users > wrote: > > Compared code of RAND_poll(void) between 1.0.1 and 1.0.2 and it seems no > > change > > I believe it was fixed earlier than that. Also see > https://rt.openssl.org/Ticket/Display.html?id=2100&user=guest&pass=guest > > As Michael suggested, 0.9.8 is the biggest problem. You should > probably solve that problem first. > > Jeff > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] DH_generate_key Hangs
Thanks, On Fri, Oct 6, 2017 at 9:36 AM, Salz, Rich wrote: > Okay, you seem to be looking for an answer and there isn’t one. > > > > The release you are using has problems when it decided to walk the heap. > The release you are using WILL NOT BE FIXED. > > > > Change your code, backport the fix, or move to a more modern release. > Sorry, there is no other way. > > > > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] DH_generate_key Hangs
Okay, you seem to be looking for an answer and there isn’t one. The release you are using has problems when it decided to walk the heap. The release you are using WILL NOT BE FIXED. Change your code, backport the fix, or move to a more modern release. Sorry, there is no other way. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] DH_generate_key Hangs
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Jason Qian via openssl-users > Sent: Friday, October 06, 2017 07:14 > The challenge is that, we are not directly calling RAND_poll(). We just call > DH_generate_key for DH key. > From the following call stacks, you can see the RAND_poll() is triggered by > ssleay_rand_bytes. RAND_poll is being called because the PRNG does not have enough entropy. Seed it with sufficient entropy first, and it won't be called by DH_generate_key. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] DH_generate_key Hangs
Thanks Jeff, The challenge is that, we are not directly calling RAND_poll(). We just call *DH_generate_key* for DH key. >From the following call stacks, you can see the RAND_poll() is triggered by ssleay_rand_bytes. libeay32d.dll!*RAND_poll*() Line 572 C libeay32d.dll!ssleay_rand_bytes(unsigned char * buf=0x03318fe0, int num=128, int pseudo=0) Line 395 C libeay32d.dll!ssleay_rand_nopseudo_bytes(unsigned char * buf=0x03318fe0, int num=128) Line 536 + 0xf bytes C libeay32d.dll!RAND_bytes(unsigned char * buf=0x03318fe0, int num=128) Line 164 + 0x10 bytes C libeay32d.dll!bnrand(int pseudorand=0, bignum_st * rnd=0x03318518, int bits=1023, int top=0, int bottom=0) Line 152 + 0xd bytes C > libeay32d.dll!BN_rand(bignum_st * rnd=0x03318518, int bits=1023, int top=0, int bottom=0) Line 213 + 0x17 bytes C libeay32d.dll!generate_key(dh_st * dh=0x03316a88) Line 170 + 0x11 bytes C libeay32d.dll!*DH_generate_key*(dh_st * dh=0x03316a88) Line 84 + 0xf bytes C Jason On Thu, Oct 5, 2017 at 7:52 PM, Jeffrey Walton wrote: > >> You should avoid calls to RAND_poll altogether on Windows. Do so by > >> explicitly seeding the random number generator yourself. > > > > As a starting point, try something like this: > > > > - > > static ENGINE *rdrand; > > > > void init_prng(void) { > > /* Try to seed the PRNG with the Intel RDRAND on-chip PRNG */ > > OPENSSL_cpuid_setup(); > > ENGINE_load_rdrand(); > > rdrand = ENGINE_by_id("rdrand"); > > if (rdrand) { > > int success = 0; > > if (ENGINE_init(rdrand)) { > > success = ENGINE_set_default(rdrand, ENGINE_METHOD_RAND); > > } > > > > /*** > > Per OpenSSL wiki, call ENGINE_free here regardless of whether > we're > > successfully using rdrand. The "functional reference" to rdrand > will > > be released when we call ENGINE_finish. > > ***/ > > ENGINE_free(rdrand); > > if (! success) ENGINE_finish(rdrand), rdrand = NULL; > > } > > > > if (!rdrand && !RAND_status()){ > > RAND_screen(); /* this isn't really emough entropy, but it's a > start */ > > if (!RAND_status()) { > > RAND_poll(); /* try to gather additional entropy */ > > } > >} > > } > > > > void terminate_engines(void) { > >if (rdrand) ENGINE_finish(rdrand), rdrand = NULL; > >/* similarly for any other engines you use */ > >ENGINE_cleanup(); > > } > > - > > > > Call init_prng after your OpenSSL initialization code (e.g. after > calling OpenSSL_add_all_algorithms), and terminate_engines when you're done > using OpenSSL (e.g. just before process exit). > > > > Note that this code uses RAND_screen if RDRAND isn't available. > RAND_screen is really not a very good idea; it may be OK on workstations, > but rarely provides much entropy on servers because they typically aren't > doing much screen output. And if you still need entropy after the > RAND_screen call, you'll end up in RAND_poll anyway. The alternative is to > write your own code that harvests entropy from some source (or sources). > > > > Other people may have better suggestions. > > Headless servers without hw entropy sources are tough. In this case I > use hedging. I've got some patches somewhere for 1.0.1, but they won't > apply to 0.9.8. > > Also see: > > * When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities > and Hedging Deployed Cryptography, > http://pages.cs.wisc.edu/~rist/papers/sslhedge.pdf > * When Virtual is Harder than Real: Security Challenges in Virtual > Machine Based Computing Environments, > http://www.usenix.org/legacy/event/hotos05/final_papers/ > full_papers/garfinkel/garfinkel.pdf > > Jeff > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] DH_generate_key Hangs
>> You should avoid calls to RAND_poll altogether on Windows. Do so by >> explicitly seeding the random number generator yourself. > > As a starting point, try something like this: > > - > static ENGINE *rdrand; > > void init_prng(void) { > /* Try to seed the PRNG with the Intel RDRAND on-chip PRNG */ > OPENSSL_cpuid_setup(); > ENGINE_load_rdrand(); > rdrand = ENGINE_by_id("rdrand"); > if (rdrand) { > int success = 0; > if (ENGINE_init(rdrand)) { > success = ENGINE_set_default(rdrand, ENGINE_METHOD_RAND); > } > > /*** > Per OpenSSL wiki, call ENGINE_free here regardless of whether we're > successfully using rdrand. The "functional reference" to rdrand will > be released when we call ENGINE_finish. > ***/ > ENGINE_free(rdrand); > if (! success) ENGINE_finish(rdrand), rdrand = NULL; > } > > if (!rdrand && !RAND_status()){ > RAND_screen(); /* this isn't really emough entropy, but it's a start > */ > if (!RAND_status()) { > RAND_poll(); /* try to gather additional entropy */ > } >} > } > > void terminate_engines(void) { >if (rdrand) ENGINE_finish(rdrand), rdrand = NULL; >/* similarly for any other engines you use */ >ENGINE_cleanup(); > } > - > > Call init_prng after your OpenSSL initialization code (e.g. after calling > OpenSSL_add_all_algorithms), and terminate_engines when you're done using > OpenSSL (e.g. just before process exit). > > Note that this code uses RAND_screen if RDRAND isn't available. RAND_screen > is really not a very good idea; it may be OK on workstations, but rarely > provides much entropy on servers because they typically aren't doing much > screen output. And if you still need entropy after the RAND_screen call, > you'll end up in RAND_poll anyway. The alternative is to write your own code > that harvests entropy from some source (or sources). > > Other people may have better suggestions. Headless servers without hw entropy sources are tough. In this case I use hedging. I've got some patches somewhere for 1.0.1, but they won't apply to 0.9.8. Also see: * When Good Randomness Goes Bad: Virtual Machine Reset Vulnerabilities and Hedging Deployed Cryptography, http://pages.cs.wisc.edu/~rist/papers/sslhedge.pdf * When Virtual is Harder than Real: Security Challenges in Virtual Machine Based Computing Environments, http://www.usenix.org/legacy/event/hotos05/final_papers/full_papers/garfinkel/garfinkel.pdf Jeff -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] DH_generate_key Hangs
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf > Of Jeffrey Walton > Sent: Thursday, October 05, 2017 13:33 > To: Jason Qian; OpenSSL Users > Subject: Re: [openssl-users] DH_generate_key Hangs > > > You should avoid calls to RAND_poll altogether on Windows. Do so by > explicitly seeding the random number generator yourself. As a starting point, try something like this: - static ENGINE *rdrand; void init_prng(void) { /* Try to seed the PRNG with the Intel RDRAND on-chip PRNG */ OPENSSL_cpuid_setup(); ENGINE_load_rdrand(); rdrand = ENGINE_by_id("rdrand"); if (rdrand) { int success = 0; if (ENGINE_init(rdrand)) { success = ENGINE_set_default(rdrand, ENGINE_METHOD_RAND); } /*** Per OpenSSL wiki, call ENGINE_free here regardless of whether we're successfully using rdrand. The "functional reference" to rdrand will be released when we call ENGINE_finish. ***/ ENGINE_free(rdrand); if (! success) ENGINE_finish(rdrand), rdrand = NULL; } if (!rdrand && !RAND_status()){ RAND_screen(); /* this isn't really emough entropy, but it's a start */ if (!RAND_status()) { RAND_poll(); /* try to gather additional entropy */ } } } void terminate_engines(void) { if (rdrand) ENGINE_finish(rdrand), rdrand = NULL; /* similarly for any other engines you use */ ENGINE_cleanup(); } - Call init_prng after your OpenSSL initialization code (e.g. after calling OpenSSL_add_all_algorithms), and terminate_engines when you're done using OpenSSL (e.g. just before process exit). Note that this code uses RAND_screen if RDRAND isn't available. RAND_screen is really not a very good idea; it may be OK on workstations, but rarely provides much entropy on servers because they typically aren't doing much screen output. And if you still need entropy after the RAND_screen call, you'll end up in RAND_poll anyway. The alternative is to write your own code that harvests entropy from some source (or sources). Other people may have better suggestions. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] DH_generate_key Hangs
More : The call stacks are from 1.0.1c when calling DH_generate_key. Is any fix in the latest version for this ? Thanks Jason On Thu, Oct 5, 2017 at 3:53 PM, Jason Qian wrote: > We call DH_generate_key(DH *dh) and the RAND_poll() is called > ssleay_rand_bytes > > > libeay32d.dll!RAND_poll() Line 572 C > libeay32d.dll!ssleay_rand_bytes(unsigned char * buf=0x03318fe0, int > num=128, int pseudo=0) Line 395 C > libeay32d.dll!ssleay_rand_nopseudo_bytes(unsigned char * > buf=0x03318fe0, int num=128) Line 536 + 0xf bytes C > libeay32d.dll!RAND_bytes(unsigned char * buf=0x03318fe0, int num=128) > Line 164 + 0x10 bytes C > libeay32d.dll!bnrand(int pseudorand=0, bignum_st * rnd=0x03318518, int > bits=1023, int top=0, int bottom=0) Line 152 + 0xd bytes C > > libeay32d.dll!BN_rand(bignum_st * rnd=0x03318518, int bits=1023, int > top=0, int bottom=0) Line 213 + 0x17 bytes C > libeay32d.dll!generate_key(dh_st * dh=0x03316a88) Line 170 + 0x11 bytes > C > libeay32d.dll!DH_generate_key(dh_st * dh=0x03316a88) Line 84 + 0xf > bytes C > > Thanks > Jason > > On Thu, Oct 5, 2017 at 3:33 PM, Jeffrey Walton wrote: > >> On Thu, Oct 5, 2017 at 2:55 PM, Jason Qian via openssl-users >> wrote: >> > Thanks Michael, >> > >> > I saw a lot of discussion for this issue on, >> > >> >https://mta.openssl.org/pipermail/openssl-dev/2015-July/ >> 002210.html >> > >> > Not sure if openSSL has a workaround or a patch ? >> > >> > >> > It hangs on : >> > >> > libeay32.dll!RAND_poll() Line 523 >> > >> > if (heap_first(&hentry, >> > hlist.th32ProcessID, >> > hlist.th32HeapID)) >> >> You should avoid calls to RAND_poll altogether on Windows. Do so by >> explicitly seeding the random number generator yourself. >> >> Also see https://wiki.openssl.org/index.php/Random_Numbers#Windows_Issues >> on the OpenSSL wiki. >> >> Jeff >> > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] DH_generate_key Hangs
We call DH_generate_key(DH *dh) and the RAND_poll() is called ssleay_rand_bytes libeay32d.dll!RAND_poll() Line 572 C libeay32d.dll!ssleay_rand_bytes(unsigned char * buf=0x03318fe0, int num=128, int pseudo=0) Line 395 C libeay32d.dll!ssleay_rand_nopseudo_bytes(unsigned char * buf=0x03318fe0, int num=128) Line 536 + 0xf bytes C libeay32d.dll!RAND_bytes(unsigned char * buf=0x03318fe0, int num=128) Line 164 + 0x10 bytes C libeay32d.dll!bnrand(int pseudorand=0, bignum_st * rnd=0x03318518, int bits=1023, int top=0, int bottom=0) Line 152 + 0xd bytes C > libeay32d.dll!BN_rand(bignum_st * rnd=0x03318518, int bits=1023, int top=0, int bottom=0) Line 213 + 0x17 bytes C libeay32d.dll!generate_key(dh_st * dh=0x03316a88) Line 170 + 0x11 bytes C libeay32d.dll!DH_generate_key(dh_st * dh=0x03316a88) Line 84 + 0xf bytes C Thanks Jason On Thu, Oct 5, 2017 at 3:33 PM, Jeffrey Walton wrote: > On Thu, Oct 5, 2017 at 2:55 PM, Jason Qian via openssl-users > wrote: > > Thanks Michael, > > > > I saw a lot of discussion for this issue on, > > > >https://mta.openssl.org/pipermail/openssl-dev/2015- > July/002210.html > > > > Not sure if openSSL has a workaround or a patch ? > > > > > > It hangs on : > > > > libeay32.dll!RAND_poll() Line 523 > > > > if (heap_first(&hentry, > > hlist.th32ProcessID, > > hlist.th32HeapID)) > > You should avoid calls to RAND_poll altogether on Windows. Do so by > explicitly seeding the random number generator yourself. > > Also see https://wiki.openssl.org/index.php/Random_Numbers#Windows_Issues > on the OpenSSL wiki. > > Jeff > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] DH_generate_key Hangs
On Thu, Oct 5, 2017 at 3:27 PM, Jason Qian via openssl-users wrote: > Compared code of RAND_poll(void) between 1.0.1 and 1.0.2 and it seems no > change I believe it was fixed earlier than that. Also see https://rt.openssl.org/Ticket/Display.html?id=2100&user=guest&pass=guest As Michael suggested, 0.9.8 is the biggest problem. You should probably solve that problem first. Jeff -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] DH_generate_key Hangs
On Thu, Oct 5, 2017 at 2:55 PM, Jason Qian via openssl-users wrote: > Thanks Michael, > > I saw a lot of discussion for this issue on, > >https://mta.openssl.org/pipermail/openssl-dev/2015-July/002210.html > > Not sure if openSSL has a workaround or a patch ? > > > It hangs on : > > libeay32.dll!RAND_poll() Line 523 > > if (heap_first(&hentry, > hlist.th32ProcessID, > hlist.th32HeapID)) You should avoid calls to RAND_poll altogether on Windows. Do so by explicitly seeding the random number generator yourself. Also see https://wiki.openssl.org/index.php/Random_Numbers#Windows_Issues on the OpenSSL wiki. Jeff -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] DH_generate_key Hangs
* Compared code of RAND_poll(void) between 1.0.1 and 1.0.2 and it seems no change Sorry, then try 1.1.0 The HEAPWALK bug/issue is fixed there. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] DH_generate_key Hangs
Compared code of RAND_poll(void) between 1.0.1 and 1.0.2 and it seems no change Thanks On Thu, Oct 5, 2017 at 2:59 PM, Salz, Rich wrote: > You could try to backport the win_rand file from a more recent release. > > > > Far better, as Michael first said, to move to 1.0.2 or later. > > > > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] DH_generate_key Hangs
You could try to backport the win_rand file from a more recent release. Far better, as Michael first said, to move to 1.0.2 or later. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] DH_generate_key Hangs
Thanks Michael, I saw a lot of discussion for this issue on, https://mta.openssl.org/pipermail/openssl-dev/2015-July/002210.html Not sure if openSSL has a workaround or a patch ? It hangs on : *libeay32.dll!RAND_poll() Line 523 * if (*heap_first*(&hentry, hlist.th32ProcessID, hlist.th32HeapID)) Jason On Thu, Oct 5, 2017 at 11:59 AM, Michael Wojcik < michael.woj...@microfocus.com> wrote: > As I speculated, it appears you're hanging in random-number generation, > probably due to a blocking CPRNG that can't get the entropy it needs. > > > > This is an operating-system issue, and needs to be referred to your OS > administrator. > > > > Michael Wojcik > Distinguished Engineer, Micro Focus > > > > > > > > *From:* Jason Qian [mailto:jq...@tibco.com] > *Sent:* Thursday, October 05, 2017 08:44 > *To:* Michael Wojcik > *Cc:* openssl-users@openssl.org > *Subject:* Re: [openssl-users] DH_generate_key Hangs > > > > > > Here is the stack trace : > > > > libeay32.dll!RAND_poll Normal > > [External Code] > > > > libeay32.dll!RAND_poll() Line 523 > > libeay32.dll!ssleay_rand_bytes(unsigned char * buf, int num, int pseudo) > Line 395 > > libeay32.dll!ssleay_rand_nopseudo_bytes(unsigned char * buf, int num) > Line 536 > > > > > > Thanks > > Jason > > > > > > > > On Wed, Sep 27, 2017 at 2:02 PM, Michael Wojcik < > michael.woj...@microfocus.com> wrote: > > > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On > Behalf Of Jason Qian via openssl-users > > Sent: Wednesday, September 27, 2017 07:00 > > To: openssl-users@openssl.org > > Subject: [openssl-users] DH_generate_key Hangs > > > Need some help, one of our application that hangs when calling > > DH_generate_key (openssl-0.9.8y). This occurs randomly under loaded > condition. > > Not sure, if anyone know this issue ? > > The issue is running OpenSSL 0.9.8, which has not been supported since > 2015. > > DH_generate_key can use an engine (at least in supported versions of > OpenSSL - I no longer have any 0.9.8 code around to check), so we really > can't say what it might be doing in your application. But if it's using the > default OpenSSL implementation, then if your DH parameters don't already > include a private key, you'll end up generating random numbers. That can > hang, if OpenSSL is using a blocking CPRNG source such as /dev/random. > > But you haven't provided nearly enough information to do more than > speculate. > > What you need to do: > > 1. Upgrade to OpenSSL 1.0.2 (or possibly 1.1.0, but that has API changes > and isn't an LTS release). There's really no point in proceeding unless you > do so. Your application is broken if it's using 0.9.8. > > 2. If the problem still occurs, debug a hanging instance and find out > where *exactly* it's hung. > > -- > Michael Wojcik > Distinguished Engineer, Micro Focus > > > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] DH_generate_key Hangs
As I speculated, it appears you're hanging in random-number generation, probably due to a blocking CPRNG that can't get the entropy it needs. This is an operating-system issue, and needs to be referred to your OS administrator. Michael Wojcik Distinguished Engineer, Micro Focus From: Jason Qian [mailto:jq...@tibco.com] Sent: Thursday, October 05, 2017 08:44 To: Michael Wojcik Cc: openssl-users@openssl.org Subject: Re: [openssl-users] DH_generate_key Hangs Here is the stack trace : libeay32.dll!RAND_poll Normal [External Code] libeay32.dll!RAND_poll() Line 523 libeay32.dll!ssleay_rand_bytes(unsigned char * buf, int num, int pseudo) Line 395 libeay32.dll!ssleay_rand_nopseudo_bytes(unsigned char * buf, int num) Line 536 Thanks Jason On Wed, Sep 27, 2017 at 2:02 PM, Michael Wojcik mailto:michael.woj...@microfocus.com>> wrote: > From: openssl-users > [mailto:openssl-users-boun...@openssl.org<mailto:openssl-users-boun...@openssl.org>] > On Behalf Of Jason Qian via openssl-users > Sent: Wednesday, September 27, 2017 07:00 > To: openssl-users@openssl.org<mailto:openssl-users@openssl.org> > Subject: [openssl-users] DH_generate_key Hangs > Need some help, one of our application that hangs when calling > DH_generate_key (openssl-0.9.8y). This occurs randomly under loaded condition. > Not sure, if anyone know this issue ? The issue is running OpenSSL 0.9.8, which has not been supported since 2015. DH_generate_key can use an engine (at least in supported versions of OpenSSL - I no longer have any 0.9.8 code around to check), so we really can't say what it might be doing in your application. But if it's using the default OpenSSL implementation, then if your DH parameters don't already include a private key, you'll end up generating random numbers. That can hang, if OpenSSL is using a blocking CPRNG source such as /dev/random. But you haven't provided nearly enough information to do more than speculate. What you need to do: 1. Upgrade to OpenSSL 1.0.2 (or possibly 1.1.0, but that has API changes and isn't an LTS release). There's really no point in proceeding unless you do so. Your application is broken if it's using 0.9.8. 2. If the problem still occurs, debug a hanging instance and find out where *exactly* it's hung. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] DH_generate_key Hangs
Here is the stack trace : libeay32.dll!RAND_poll Normal [External Code] libeay32.dll!RAND_poll() Line 523 libeay32.dll!ssleay_rand_bytes(unsigned char * buf, int num, int pseudo) Line 395 libeay32.dll!ssleay_rand_nopseudo_bytes(unsigned char * buf, int num) Line 536 Thanks Jason On Wed, Sep 27, 2017 at 2:02 PM, Michael Wojcik < michael.woj...@microfocus.com> wrote: > > From: openssl-users [mailto:openssl-users-boun...@openssl.org] On > Behalf Of Jason Qian via openssl-users > > Sent: Wednesday, September 27, 2017 07:00 > > To: openssl-users@openssl.org > > Subject: [openssl-users] DH_generate_key Hangs > > > Need some help, one of our application that hangs when calling > > DH_generate_key (openssl-0.9.8y). This occurs randomly under loaded > condition. > > Not sure, if anyone know this issue ? > > The issue is running OpenSSL 0.9.8, which has not been supported since > 2015. > > DH_generate_key can use an engine (at least in supported versions of > OpenSSL - I no longer have any 0.9.8 code around to check), so we really > can't say what it might be doing in your application. But if it's using the > default OpenSSL implementation, then if your DH parameters don't already > include a private key, you'll end up generating random numbers. That can > hang, if OpenSSL is using a blocking CPRNG source such as /dev/random. > > But you haven't provided nearly enough information to do more than > speculate. > > What you need to do: > > 1. Upgrade to OpenSSL 1.0.2 (or possibly 1.1.0, but that has API changes > and isn't an LTS release). There's really no point in proceeding unless you > do so. Your application is broken if it's using 0.9.8. > > 2. If the problem still occurs, debug a hanging instance and find out > where *exactly* it's hung. > > -- > Michael Wojcik > Distinguished Engineer, Micro Focus > > > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] DH_generate_key Hangs
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of > Jason Qian via openssl-users > Sent: Wednesday, September 27, 2017 07:00 > To: openssl-users@openssl.org > Subject: [openssl-users] DH_generate_key Hangs > Need some help, one of our application that hangs when calling > DH_generate_key (openssl-0.9.8y). This occurs randomly under loaded > condition. > Not sure, if anyone know this issue ? The issue is running OpenSSL 0.9.8, which has not been supported since 2015. DH_generate_key can use an engine (at least in supported versions of OpenSSL - I no longer have any 0.9.8 code around to check), so we really can't say what it might be doing in your application. But if it's using the default OpenSSL implementation, then if your DH parameters don't already include a private key, you'll end up generating random numbers. That can hang, if OpenSSL is using a blocking CPRNG source such as /dev/random. But you haven't provided nearly enough information to do more than speculate. What you need to do: 1. Upgrade to OpenSSL 1.0.2 (or possibly 1.1.0, but that has API changes and isn't an LTS release). There's really no point in proceeding unless you do so. Your application is broken if it's using 0.9.8. 2. If the problem still occurs, debug a hanging instance and find out where *exactly* it's hung. -- Michael Wojcik Distinguished Engineer, Micro Focus -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] DH_generate_key Hangs
Hi, Need some help, one of our application that hangs when calling DH_generate_key (openssl-0.9.8y). This occurs randomly under loaded condition. Not sure, if anyone know this issue ? Thanks Jason -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users