Hello. I ran into some odd PRNG related errors after switching from OpenSSL 0.9.7g to 0.9.8 on Solaris 2.7 today. I checked through the archives of this mailing list that I could find and I didn't see an answer in the FAQ, but if there's a place I missed please let me know. I'd happily RTFM.
Compiling 0.9.8 worked perfectly and all of the post-compilation tests went off without a hitch. When compiling Apache with the latest mod_ssl in place, however, doing a "make certificate" (just to generate a dummy cert) fails with a "PRNG not seeded" error. That was the first clue that something had possibly changed. Using the old 0.9.7g binary, I can create a key and self-signed cert the way I've been doing it for a while: charlie> openssl version OpenSSL 0.9.7g 11 Apr 2005 charlie> openssl genrsa -out filename.key 1024 Generating RSA private key, 1024 bit long modulus .++++++ ..............++++++ e is 65537 (0x10001) charlie> openssl req -new -key filename.key -x509 -out filename.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []:test Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []:test Common Name (eg, YOUR name) []:testtest Email Address []:[EMAIL PROTECTED] charlie> ls -l filename* -rw-r--r-- 1 zilbauer user 1338 Aug 11 16:44 filename.crt -rw-r--r-- 1 zilbauer user 887 Aug 11 16:43 filename.key However, with the new OpenSSL, that process fails. charlie> openssl version OpenSSL 0.9.8 05 Jul 2005 charlie> openssl genrsa -out filename.key 1024 Generating RSA private key, 1024 bit long modulus .........................++++++ ...++++++ e is 65537 (0x10001) charlie> openssl req -new -key filename.key -x509 -out filename.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []:test Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []:test Common Name (eg, YOUR name) []:testtest Email Address []:[EMAIL PROTECTED] 15574:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:503:You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html 15574:error:04088003:rsa routines:RSA_setup_blinding:BN lib:rsa_lib.c:407: 15574:error:04066044:rsa routines:RSA_EAY_PRIVATE_ENCRYPT:internal error:rsa_eay.c:364: 15574:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP lib:a_sign.c:276: Using a different command line method will result in the generation of the key and the self-signed certificate. Using: openssl req -nodes -new -keyout filename.key -x509 -out filename.crt in OpenSSL 0.9.8 combines my usual two steps into one step and works like a charm. No PRNG errors. So, nothing's "broken" I'm just curious if this is indeed a change in the OpenSSL command or if I've got something wonky on my system. Thanks! -- "Kids today need discipline. It's not a popular word these days: discipline. I know Principal Flutie would have said, 'Kids need understanding. Kids are human beings.' That's the kind of wooly-headed liberal thinking that leads to being eaten." - Principal Snyder, Buffy the Vampire Slayer #9 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
