Odd PRNG behavior between 0.9.7g and 0.9.8

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Odd PRNG behavior between 0.9.7g and 0.9.8

Robert Zilbauer
Hello. I ran into some odd PRNG related errors after switching from OpenSSL
0.9.7g to 0.9.8 on Solaris 2.7 today. I checked through the archives of this
mailing list that I could find and I didn't see an answer in the FAQ, but if
there's a place I missed please let me know. I'd happily RTFM.

Compiling 0.9.8 worked perfectly and all of the post-compilation tests went
off without a hitch.

When compiling Apache with the latest mod_ssl in place, however, doing a "make
certificate" (just to generate a dummy cert) fails with a "PRNG not seeded"
error. That was the first clue that something had possibly changed.

Using the old 0.9.7g binary, I can create a key and self-signed cert the way
I've been doing it for a while:

  charlie> openssl version
  OpenSSL 0.9.7g 11 Apr 2005

  charlie> openssl genrsa -out filename.key 1024
  Generating RSA private key, 1024 bit long modulus
  .++++++
  ..............++++++
  e is 65537 (0x10001)

  charlie> openssl req -new -key filename.key -x509 -out filename.crt
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  Country Name (2 letter code) [AU]:
  State or Province Name (full name) [Some-State]:
  Locality Name (eg, city) []:test
  Organization Name (eg, company) [Internet Widgits Pty Ltd]:
  Organizational Unit Name (eg, section) []:test
  Common Name (eg, YOUR name) []:testtest
  Email Address []:[hidden email]

  charlie> ls -l filename*
  -rw-r--r--    1 zilbauer user         1338 Aug 11 16:44 filename.crt
  -rw-r--r--    1 zilbauer user          887 Aug 11 16:43 filename.key


However, with the new OpenSSL, that process fails.

  charlie> openssl version
  OpenSSL 0.9.8 05 Jul 2005

  charlie> openssl genrsa -out filename.key 1024
  Generating RSA private key, 1024 bit long modulus
  .........................++++++
  ...++++++
  e is 65537 (0x10001)

  charlie> openssl req -new -key filename.key -x509 -out filename.crt
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  Country Name (2 letter code) [AU]:
  State or Province Name (full name) [Some-State]:
  Locality Name (eg, city) []:test
  Organization Name (eg, company) [Internet Widgits Pty Ltd]:
  Organizational Unit Name (eg, section) []:test
  Common Name (eg, YOUR name) []:testtest
  Email Address []:[hidden email]
  15574:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not
seeded:md_rand.c:503:You need to read the OpenSSL FAQ,
http://www.openssl.org/support/faq.html
  15574:error:04088003:rsa routines:RSA_setup_blinding:BN lib:rsa_lib.c:407:
  15574:error:04066044:rsa routines:RSA_EAY_PRIVATE_ENCRYPT:internal
error:rsa_eay.c:364:
  15574:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP
lib:a_sign.c:276:


Using a different command line method will result in the generation of the key
and the self-signed certificate. Using:

  openssl req -nodes -new -keyout filename.key -x509 -out filename.crt

in OpenSSL 0.9.8 combines my usual two steps into one step and works like a
charm. No PRNG errors.

So, nothing's "broken" I'm just curious if this is indeed a change in the
OpenSSL command or if I've got something wonky on my system.

Thanks!

--
"Kids today need discipline. It's not a popular word these days:
discipline.  I know Principal Flutie would have said, 'Kids need
understanding.   Kids  are  human  beings.'  That's the  kind of
wooly-headed  liberal  thinking  that  leads  to  being  eaten."
           - Principal Snyder, Buffy the Vampire Slayer #9
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Odd PRNG behavior between 0.9.7g and 0.9.8

prakash babu
Hello Robert,
 
I think the problem is with your Pseudo Random Number Generator and not OpenSSL 0.9.8
i. Check if you system has the /dev/random or /dev/urandom
ii. If  /dev/random and /dev/urandom are not present then make sure  prngd is running 
iii. If your answer is yes to question i or ii then check if the random seed file is created in  $HOME/.rnd. If it is not created set you environment variable $HOME or set the RANDFILE variable in the openssl.cnf to an existing location.
 
 
Thanks,
Prakash

Robert Zilbauer <[hidden email]> wrote:
Hello. I ran into some odd PRNG related errors after switching from OpenSSL
0.9.7g to 0.9.8 on Solaris 2.7 today. I checked through the archives of this
mailing list that I could find and I didn't see an answer in the FAQ, but if
there's a place I missed please let me know. I'd happily RTFM.

Compiling 0.9.8 worked perfectly and all of the post-compilation tests went
off without a hitch.

When compiling Apache with the latest mod_ssl in place, however, doing a "make
certificate" (just to generate a dummy cert) fails with a "PRNG not seeded"
error. That was the first clue that something had possibly changed.

Using the old 0.9.7g binary, I can create a key and self-signed cert the way
I've been doing it for a while:

charlie> openssl version
OpenSSL 0.9.7g 11 Apr 2005

charlie> openssl genrsa -out filename.key 1024
Generating RSA private key, 1024 bit long modulus
.++++++
..............++++++
e is 65537 (0x10001)

charlie> openssl req -new -key filename.key -x509 -out filename.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:test
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:test
Common Name (eg, YOUR name) []:testtest
Email Address []:[hidden email]

charlie> ls -l filename*
-rw-r--r-- 1 zilbauer user 1338 Aug 11 16:44 filename.crt
-rw-r--r-- 1 zil bauer user 887 Aug 11 16:43 filename.key


However, with the new OpenSSL, that process fails.

charlie> openssl version
OpenSSL 0.9.8 05 Jul 2005

charlie> openssl genrsa -out filename.key 1024
Generating RSA private key, 1024 bit long modulus
.........................++++++
...++++++
e is 65537 (0x10001)

charlie> openssl req -new -key filename.key -x509 -out filename.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:test
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational U nit Name (eg, section) []:test
Common Name (eg, YOUR name) []:testtest
Email Address []:[hidden email]
15574:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not
seeded:md_rand.c:503:You need to read the OpenSSL FAQ,
http://www.openssl.org/support/faq.html
15574:error:04088003:rsa routines:RSA_setup_blinding:BN lib:rsa_lib.c:407:
15574:error:04066044:rsa routines:RSA_EAY_PRIVATE_ENCRYPT:internal
error:rsa_eay.c:364:
15574:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP
lib:a_sign.c:276:


Using a different command line method will result in the generation of the key
and the self-signed certificate. Using:

openssl req -nodes -new -keyout filename.key -x509 -out filename.crt

in OpenSSL 0.9.8 combines my usual two steps into one step and works like a
charm. No PRNG errors.

So, nothing's "broken" I'm just curious if this is indeed a change in the
OpenSSL command or if I've got something w onky on my system.

Thanks!

--
"Kids today need discipline. It's not a popular word these days:
discipline. I know Principal Flutie would have said, 'Kids need
understanding. Kids are human beings.' That's the kind of
wooly-headed liberal thinking that leads to being eaten."
- Principal Snyder, Buffy the Vampire Slayer #9
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [hidden email]
Automated List Manager [hidden email]

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com