Article delegate-en/1010 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]

Newsgroups: mail-lists.delegate-en

[DeleGate-En] late-model OpenSSL and sslway
08 Feb 2001 00:52:51 GMT Craig Scratchley <p6ebqbdyi-t7hpmu4lwfxr.ml@ml.delegate.org>


sslway has problems with recent versions of OpenSSL, at least on the
following platform:

SunOS 5.8 Generic_108528-01 sun4u sparc

To be specific, openssl-0.9.4 seems to work, but openssl-0.9.6 does not
work.  From the openssl FAQ, I understand that openssl-0.9.5x also should
not work.

This is the error message which DeleGate reports in its output:

02/07 09:38:38.77 [10915] 3+1: -- Fork(FSV): 10914 -> 10915
02/07 09:38:38.77 [10915] 3+1: #### execFilter[FSV]
[/export/home/build/delegate/lib/sslway]sslway
02/07 09:38:38.80 [10914] 3+1: HTTP => (authorize.net:443) GET / HTTP/1.0^M
02/07 09:38:38.80 [10914] 3+1: #HT11 FORCE HTTP/1.1 or Connection:keep-alive
## SSLway[10915](192.168.1.84) connect failed
10915:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not
seeded:md_rand.c:474:You need to read the OpenSSL FAQ,
http://www.openssl.org/support/faq.html

Is sslway a "broken application"?

This is what the FAQ says:

1. Why do I get a "PRNG not seeded" error message?

Cryptographic software needs a source of unpredictable data to work
correctly. Many open source operating systems provide a "randomness device"
that serves this purpose. On other systems, applications have to call the
RAND_add() or RAND_seed() function with appropriate data before generating
keys or performing public key encryption.

Some broken applications do not do this. As of version 0.9.5, the OpenSSL
functions that need randomness report an error if the random number
generator has not been seeded with at least 128 bits of randomness. If this
error occurs, please contact the author of the application you are using. It
is likely that it never worked correctly. OpenSSL 0.9.5 and later make the
error visible by refusing to perform potentially insecure encryption.

On systems without /dev/urandom, it is a good idea to use the Entropy
Gathering Demon; see the RAND_egd() manpage for details.

...


For Solaris 2.6, Tim Nibbe <tnibbe@sprint..> and others have suggested
installing the SUNski package from Sun patch 105710-01 (Sparc) which adds a
/dev/random device and make sure it gets used, usually through $RANDFILE.
There are probably similar patches for the other Solaris versions. However,
be warned that /dev/random is usually a blocking device, which may have some
effects on OpenSSL.


  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V