Article delegate-en/947 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A945@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: ssl bug
26 Dec 2000 14:51:13 GMT Hue Le <pwabqbdyi-tqqtzd45azfr.ml@ml.delegate.org>
Cisco Systems, Inc.


Thanks. It works!
Hue

Yutaka Sato wrote:

> Hi,
>
> On 12/24/00(00:20) you Hue Le <pwabqbdyi-tqqtzd45azfr.ml@ml.delegate.org> wrote
> in <_A944@delegate-en.ML_>
>  |12/23 07:19:16.75 [16978] 2+1: -- Fork(FSV): 16977 -> 16978
>  |12/23 07:19:16.75 [16978] 2+1: #### execFilter[FSV]
>  |[/home/huele/FAILOVER/delegate6.1.21/lib/sslway]sslway
> ...
>  |## SSLway[16978](huele-dsl4) connect failed
>  |16978:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not
>  |seeded:md_rand.c:474:You need to read the OpenSSL FAQ,
>  |http://www.openssl.org/support/faq.html
> ...
>  |And check http://www.openssl.org/support/faq.html . Any idea?
>  |1. Why do I get a "PRNG not seeded" error message?
>  |
>  |              Cryptographic software needs a source of unpredictable
>  |data to work correctly. Many open source operating systems provide a
>  |"randomness
>  |              device" that serves this purpose. On other systems,
>  |applications have to call the RAND_add() or RAND_seed() function with
>  |appropriate data
>  |              before generating keys or performing public key
>  |encryption.
> ...
>  |              On systems without /dev/urandom, it is a good idea to use
>  |the Entropy Gathering Demon; see the RAND_egd() manpage for details.
> ...
>  |              Some broken applications do not do this. As of version
>  |0.9.5, the OpenSSL functions that need randomness report an error if the
>
> Thank you for your informative notice.  I've not noticed the problem
> since I am used to use openSSL 0.9.4.
> I reproduced the problem on Solaris2.6 without /dev/urandom, and fixed
> it with the enclosed patch.
>
> Cheers,
> Yutaka
> --
> Yutaka Sato <ysato@etl.go.jp> http://www.etl.go.jp/~ysato/   @ @
> Computer Science Division, Electrotechnical Laboratory      ( - )
> 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan            _<   >_
>
> *** ../../delegate6.1.22/filters/sslway.c       Tue Nov 28 20:30:53 2000
> --- sslway.c    Mon Dec 25 14:00:55 2000
> ***************
> *** 468,473 ****
> --- 468,485 ----
>                 *isHTTP = 1;
>         return 0;
>   }
> + static rand_seed()
> + {     int seed[8],si;
> +
> +       seed[0] = Gettimeofday(&seed[1]);
> +       seed[2] = getpid();
> +       seed[3] = getuid();
> +       seed[4] = (int)seed;
> +       seed[5] = (int)&rand_seed;
> +       RAND_seed(seed,sizeof(seed));
> +       for( si = 0; si < 8; si++ )
> +               seed[si] = 0;
> + }
>   static _passwd(what,pass,buf,siz,vrfy)
>         char *what,*pass;
>         char *buf;
> ***************
> *** 495,501 ****
>
>   static put_help()
>   {
> !       syslog_ERROR("SSLway 2000-11-28 <ysato@delegate.org>\r\n");
>   }
>   main(ac,av)
>         char *av[];
> --- 507,513 ----
>
>   static put_help()
>   {
> !       syslog_ERROR("SSLway 2000-12-26 <ysato@delegate.org>\r\n");
>   }
>   main(ac,av)
>         char *av[];
> ***************
> *** 653,659 ****
> --- 665,674 ----
>         conSSL = NULL;
>
>         if( do_conSSL || do_accSSL )
> +       {
> +               rand_seed();
>                 TRACE("start");
> +       }
>
>         fdv[0] = accfd;
>         fdv[1] = confd;


  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V