Count to twenty before answering... On Mon, May 07, 2001 at 09:58:54AM -0500, Hynds, R Michael wrote: > Since the error message was specific I thought I'd take a look at the > indicated module (../openssl-0.9.6a/crypto/rand/md_rand.c). It seems > that the variable "ok" was set to zero. Working my way down the > function I found "ok = (entropy >= ENTROPY_NEEDED);" The following > statement checked the value of "ok". I noticed that the if statement > didn't modify "ok" back to one. I added "ok=1;" after line 378 and > things seemed to work okay. > > After this I built Apache with mod_ssl and everything seemed to work. > My question is: "is the above code change solve the problem or did I > just solve a symptom?". The check you just set out of effect is there for a very good reason. It shall ensure that only when enough entropy was added (entropy >= ENTROPY_NEEDED), random number can be generated. If the PRNG is not sufficiently seeded, your cryptographic keys are weak and can be (easily!?) broken, therefore the OpenSSL library insists on sufficient seeding. Please check out the mod_ssl documentation about the SSLRandomSeed directive. There or in the OpenSSL FAQ you will find, that on AIX you'll probably have to use EGD or PRNGD, as no /dev/urandom device is available. With respect to the key generation, I don't know whether the mod_ssl build process supports specification of an entropy source. In any case you can use the "openssl rand" command to generate a $HOME/.rnd file that will be used as a backup entropy source for "openssl genrsa". Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]