unsubscribe
Get Outlook for iOS<https://aka.ms/o0ukef>
From: openssl-users on behalf of Dr Paul
Dale
Sent: Wednesday, November 10, 2021 2:20:03 PM
To: openssl-users@openssl.org
Subject: Re: OpenSSL-3.+ how to configure [random]?
I'm pretty sure the unde
On 11/10/21, 15:20, "openssl-users on behalf of Dr Paul Dale"
wrote:
>
> I'm pretty sure the underlying problem is that there is a call to
> RAND_set_rand_method() or RAND_set_rand_engine() occurring (likely the
> latter).
Probably...
> These completely replace the built in RNG
I'm pretty sure the underlying problem is that there is a call to
RAND_set_rand_method() or RAND_set_rand_engine() occurring (likely the
latter).
These completely replace the built in RNG infrastructure with the
RAND_METHOD/engine. If the engine then fails to produce output for any
reason,
Yes, it's related to https://github.com/openssl/openssl/issues/16996, and yes -
the same solution worked.
There's something wrong with how PKCS#11 engine deals with (or presents itself
as) rand provider.
In any case, removing PKCS#11 engine from the [engines] section alleviated this
problem.
Just chiming in quickly to mention that this could be related to
https://github.com/openssl/openssl/issues/16996
Nicola
On Wed, Nov 10, 2021 at 10:33 AM Tomas Mraz wrote:
>
> On Wed, 2021-11-10 at 03:38 +, Blumenthal, Uri - 0553 - MITLL
> wrote:
> > On 11/9/21, 22:23, "Dr Paul Dale" wrote:
On Wed, 2021-11-10 at 03:38 +, Blumenthal, Uri - 0553 - MITLL
wrote:
> On 11/9/21, 22:23, "Dr Paul Dale" wrote:
>
> > Currently I've no idea and can't reproduce locally :(
>
> Maybe you'd know how to force the "-engine rdrand" path through
> "openssl.cnf"?
>
> > A rogue configuration
On 11/9/21, 23:07, "Dr Paul Dale" wrote:
>There is documentation:
> https://www.openssl.org/docs/man3.0/man5/config.html
Yes, I know. Alas, it's not helpful at all. RDRAND is an *engine*, but it does
not seem to have a "separate" physical presence, like a shared library. For
other
There is documentation: https://www.openssl.org/docs/man3.0/man5/config.html
I don't think the rdrand engine takes any extras.
Pauli
On 10/11/21 1:38 pm, Blumenthal, Uri - 0553 - MITLL wrote:
On 11/9/21, 22:23, "Dr Paul Dale" wrote:
Currently I've no idea and can't reproduce locally
On 11/9/21, 22:23, "Dr Paul Dale" wrote:
>Currently I've no idea and can't reproduce locally :(
Maybe you'd know how to force the "-engine rdrand" path through "openssl.cnf"?
>A rogue configuration file could cause the DRBGs/seeds to fail. Do you
>have seed=rdrand line in the
Currently I've no idea and can't reproduce locally :(
A rogue configuration file could cause the DRBGs/seeds to fail. Do you
have seed=rdrand line in the random section? That will cause the
seeding source to fail to load at all.
Pauli
On 10/11/21 1:10 pm, Blumenthal, Uri - 0553 - MITLL
Thank you!
I'm trying to:
a. understand why something like "openssl-3 rand -hex 4" does not work (returns
empty string), but "openssl-3 rand -engine rdrand -hex 4" works fine, and gives
me my random bytes - here's an illustration
$ openssl3 version
OpenSSL 3.1.0-dev (Library: OpenSSL
Currently there is exactly one seed source that is usable in OpenSSL
3.0: "SEED-SRC". It is documented in EVP_RAND-SEED-SRC. The reason the
seed source can be set is to allow you to use a third party provider
than includes one.
If you want to force RDRAND as the only seeding source, this
12 matches
Mail list logo
