Hello Mike. Steffen Nurpmeso wrote in <20190104122559.i8qfa%stef...@sdaoden.eu>: |--- Forwarded from Mike Sharov <msha...@users.sourceforge.net> --- ... |I am getting the following error when running s-nail 14.9.11 on Arch: | |mail: Panic: Cannot seed the *TLS PseudoRandomNumberGenerator, |RAND_status() is 0! | | Please set *tls-rand-file* to a file with sufficient entropy. | On a machine with entropy: "$ dd if=/dev/urandom of=FILE bs=1024 count=1" | |Aborted
Interesting, i have never seen this, on all the range of LibreSSL and OpenSSL that passed by in the last years. Even in VMs! |The error appears to be coming from a_xtls_rand_init in xtls.c, which |attempts to load a random seed file to initialize openssl RNG. This is |inappropriate. The RNG should be initialized by reading /dev/random, or, |if the kernel supports it, the getrandom syscall. So first of all, we do support this also, it is a compile-time switch. You could ask the ArchLinux maintainer to switch (the order of) VAL_RANDOM. (And please do not use /dev/random to initialize this stuff, /dev/urandom should be sufficient.) Why do you think it is inappropriate? It is the documented way of initializing the OpenSSL PRNG. |There is mention of tls-rand-file option, but it is marked deprecated |in the sources and does not seem to ever be actually set. No it is not, who says that? It is brand new indeed. You could also leave it unset, in which case we would use the OpenSSL builtin name (RAND_file_name(3ssl)). |Is there a workaround for this problem? By disabling TLS support, |perhaps, since I only use s-nail for the local mailbox. I agree we could actually encapsulate all this for OpenSSL 1.1.x and later, since i think the operations in question are dummies there, and RAND_file_name() redirects to /dev/null, or something like that. (Not that i like that.) Just recently i have been pointed to a publication of the German BSI about the Linux random number generator, and was surprised by the fact that the in-between-boot random seed storage (/var/lib/random-seed here) does not seem to be used at all anymore (i.e., that writing to /dev/urandom does not account for entropy at all). I have to say i do not really understand this, these are good random bytes, are they? (And if they are on my box already, and can access that storage, hu-hu-hu ...) Here on my box, which uses OpenSSL 1.1.1a, RAND_write_file() does still work and saves ~/.rnd: #?0|essex:steffen$ ll /home/steffen/.rnd -rw------- 1 steffen steffen 1024 Jan 4 12:26 /home/steffen/.rnd And that we feed in base64 encoded output of the random number generator into itself at least once: is that really so bad? I mean, the internal state of the OpenSSL PRNG is not known, and we add noise into it which will be stirred through the entire buffer, i presume. I presume a lot of maths to mix up the stuff we feed in. I do not know. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
