Count to twenty before answering...
On Mon, May 07, 2001 at 09:58:54AM -0500, Hynds, R Michael wrote:
> Since the error message was specific I thought I'd take a look at the
> indicated module (../openssl-0.9.6a/crypto/rand/md_rand.c). It seems
> that the variable "ok" was set to zero. Working my way down the
> function I found "ok = (entropy >= ENTROPY_NEEDED);" The following
> statement checked the value of "ok". I noticed that the if statement
> didn't modify "ok" back to one. I added "ok=1;" after line 378 and
> things seemed to work okay.
>
> After this I built Apache with mod_ssl and everything seemed to work.
> My question is: "is the above code change solve the problem or did I
> just solve a symptom?".
The check you just set out of effect is there for a very good reason.
It shall ensure that only when enough entropy was added (entropy >=
ENTROPY_NEEDED), random number can be generated.
If the PRNG is not sufficiently seeded, your cryptographic keys are
weak and can be (easily!?) broken, therefore the OpenSSL library
insists on sufficient seeding.
Please check out the mod_ssl documentation about the SSLRandomSeed
directive. There or in the OpenSSL FAQ you will find, that on AIX
you'll probably have to use EGD or PRNGD, as no /dev/urandom device
is available.
With respect to the key generation, I don't know whether the mod_ssl
build process supports specification of an entropy source. In any case
you can use the "openssl rand" command to generate a $HOME/.rnd file
that will be used as a backup entropy source for "openssl genrsa".
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
