1. When using OpenSSL for signing data, and for SSL sessions
(both client side and server side), should I use the /dev/random instead?
IMO, if you're using the random data just to seed a PRNG, there is no
rational reason to insist on using /dev/random instead of /dev/urandom. The
only
Hello, everybody.
Is there anybody here to address this problem ?!
I've already bring up this (22 Apr 2005), but nobody showed
the interest.
In short: if I replace standard (1,9) /dev/urandom with the
hardware one (10,183) then application using openssl library
begins to fail.
It seems to me
[jaenicke - Wed Apr 30 15:46:39 2003]:
[jaenicke - Mon Apr 28 10:56:55 2003]:
I consider this to be a bug in the AIX 5.2 select() routine.
Please
file
a bug report.
In the meantime I have received information from Craig Anthony
[EMAIL PROTECTED]. The AIX 5.2
) =
0x
_getpid() = 22600
_getpid() = 22600
open(/dev/urandom, O_RDONLY|O_NOCTTY|O_NONBLOCK) = 3
_select(4, 0x2FF20A50, 0x, 0x, 0x2FF22A58) = 0
close(3)= 0
open(/dev
According to your truss output, neither version should work at all; select is
returning 0 in every case which means that no descriptors are ready. Perhaps
AIX's /dev/urandom device driver doesn't support select() functionality. That
would certainly be stupid, but not unheard of.
Your patch
The current code is pretty ineffective. Since select() only tells you that at
least 1 byte is available, you still need to do a read to determine how many
bytes are actually there. Given that the descriptor is already open
non-blocking, this would probably be better:
--- rand_unix.c.O Thu
No patch should be required, not even AIX can be that weird. An
official specification for select() is available at
http://www.opengroup.org/onlinepubs/007908799/xsh/select.html
__
OpenSSL Project
[bodo - Tue Apr 1 16:58:47 2003]:
No patch should be required, not even AIX can be that weird. An
official specification for select() is available at
http://publibn.boulder.ibm.com/doc_link/en_US/a_doc_lib/libs/commtrf1/select.htm
This was the wrong link, I meant the www.opengroup.org
Hello!
Since 5.2 AIX supports /dev/random and /dev/urandom. Openssl don't use it
because the select
system call works different on AIX than on linux.
As described in the following URL, the select system call expects the
number
of file describtors as first parameter in AIX. Linux expects
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Lutz Jaenicke via RT
On Mon, Mar 31, 2003 at 10:54:31AM +0200,
[EMAIL PROTECTED] via RT wrote:
Since 5.2 AIX supports /dev/random and /dev/urandom.
Openssl don't use it
because the select
system
]
[mailto:[EMAIL PROTECTED] Behalf Of Lutz Jaenicke via RT
Sent: Monday, March 31, 2003 1:56 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: [openssl.org #558] Patch Openssl 0.9.7a for AIX 5.2 to use
/dev/urandom
On Mon, Mar 31, 2003 at 10:54:31AM +0200, [EMAIL PROTECTED] via
RT wrote
This is a non-issue; they are two different ways of saying
the same thing.
The AIX description is the same one all Unix systems with
select() have used
since... 4.2BSD. I don't recall if 4.1 had select() or not.
Think about it. The fdset is a bit field. The nfds parameter
tells select
select() expects the first parameter to contain the number of fd's to be
checked in all flavours of Unix.
No. It is 1+(maxfd). Traditioanlly they are the same, but for
long-running servers that open and close things and have holes they
won't be.
/r$
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Dilkie, Lee
This is a non-issue; they are two different ways of saying
the same thing.
The AIX description is the same one all Unix systems with
select() have used
since... 4.2BSD. I don't recall
On Mon, Mar 31, 2003 at 10:54:31AM +0200, [EMAIL PROTECTED] via RT wrote:
Since 5.2 AIX supports /dev/random and /dev/urandom. Openssl don't use it
because the select
system call works different on AIX than on linux.
As described in the following URL, the select system call expects
I see that the UNIX version of RAND_poll uses /dev/urandom by default (see
the definition of DEVRANDOM in e_os.h and its use in rand_win.c).
Can someone explain to me the difference between /dev/random and
/dev/urandom or point me to a reference. I am particularly interested in
when each blocks
Many thanks to everyone who has helped me with this.
Best Regards,
Brian
Ulf Moeller wrote:
On Wed, Jun 28, 2000, Brian S. Craigie wrote:
it doesn't appear to proceed to look wherever RANDFILE is defined, nor
to call RAND_egd. The command-line SSL programs do honour the RANDFILE
On Wed, Jun 28, 2000, Brian S. Craigie wrote:
it doesn't appear to proceed to look wherever RANDFILE is defined, nor
to call RAND_egd. The command-line SSL programs do honour the RANDFILE
settings, but libcrypto.a doesn't appear to. From what I can see in the
source, apps/app_rand.c is
Bodo Moeler wrote about the truerand library (at
ftp://ftp.research.att.com/dist/mab/librand.shar):
It's not that portable (for getting CFS to work, I had to replace the
roulette() function by an implementation that simply reads from
/dev/urandom -- for reasons I did not investige further
Nicolas Roumiantzeff [EMAIL PROTECTED]:
There should be some workaround for systems without /dev/urandom !
I posted a pointer to a to a secure random mechanism which is portable and
does not rely on the user input and because of the continuous number of
complaints on the subject, I am quite
There should be some workaround for systems without /dev/urandom !
I posted a pointer to a to a secure random mechanism which is portable and
does not rely on the user input and because of the continuous number of
complaints on the subject, I am quite surprised that no one asked
):
tmp_rsa_cb: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded
Solaris has no /dev/urandom. When I faked a /dev/urandom as a symlink to some
readable file, this worked. I could reproduce the error with the following
test program, containing the same calls as stunnel
22 matches
Mail list logo
