diff options
Diffstat (limited to 'crypto/openssl/FAQ')
-rw-r--r-- | crypto/openssl/FAQ | 66 |
1 files changed, 53 insertions, 13 deletions
diff --git a/crypto/openssl/FAQ b/crypto/openssl/FAQ index cd759e0..23e212f 100644 --- a/crypto/openssl/FAQ +++ b/crypto/openssl/FAQ @@ -17,6 +17,7 @@ OpenSSL - Frequently Asked Questions [USER] Questions on using the OpenSSL applications * Why do I get a "PRNG not seeded" error message? +* Why do I get an "unable to write 'random state'" error message? * How do I create certificates or certificate requests? * Why can't I create certificate requests? * Why does <SSL program> fail with a certificate verify error? @@ -47,6 +48,7 @@ OpenSSL - Frequently Asked Questions * Why do I get errors about unknown algorithms? * Why can't the OpenSSH configure script detect OpenSSL? * Can I use OpenSSL's SSL library with non-blocking I/O? +* Why doesn't my server application receive a client certificate? =============================================================================== @@ -55,7 +57,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from <URL: http://www.openssl.org>. -OpenSSL 0.9.6a was released on April 5th, 2001. +OpenSSL 0.9.6b was released on July 9th, 2001. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at <URL: @@ -160,6 +162,7 @@ correctly. Many open source operating systems provide a "randomness device" that serves this purpose. On other systems, applications have to call the RAND_add() or RAND_seed() function with appropriate data before generating keys or performing public key encryption. +(These functions initialize the pseudo-random number generator, PRNG.) Some broken applications do not do this. As of version 0.9.5, the OpenSSL functions that need randomness report an error if the random @@ -169,18 +172,36 @@ application you are using. It is likely that it never worked correctly. OpenSSL 0.9.5 and later make the error visible by refusing to perform potentially insecure encryption. -On systems without /dev/urandom, it is a good idea to use the Entropy -Gathering Demon; see the RAND_egd() manpage for details. - -Most components of the openssl command line tool try to use the -file $HOME/.rnd (or $RANDFILE, if this environment variable is set) -for seeding the PRNG. If this file does not exist or is too short, -the "PRNG not seeded" error message may occur. - -[Note to OpenSSL 0.9.5 users: The command "openssl rsa" in version -0.9.5 does not do this and will fail on systems without /dev/urandom -when trying to password-encrypt an RSA key! This is a bug in the -library; try a later version instead.] +On systems without /dev/urandom and /dev/random, it is a good idea to +use the Entropy Gathering Demon (EGD); see the RAND_egd() manpage for +details. Starting with version 0.9.7, OpenSSL will automatically look +for an EGD socket at /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool and +/etc/entropy. + +Most components of the openssl command line utility automatically try +to seed the random number generator from a file. The name of the +default seeding file is determined as follows: If environment variable +RANDFILE is set, then it names the seeding file. Otherwise if +environment variable HOME is set, then the seeding file is $HOME/.rnd. +If neither RANDFILE nor HOME is set, versions up to OpenSSL 0.9.6 will +use file .rnd in the current directory while OpenSSL 0.9.6a uses no +default seeding file at all. OpenSSL 0.9.6b and later will behave +similarly to 0.9.6a, but will use a default of "C:" for HOME on +Windows systems if the environment variable has not been set. + +If the default seeding file does not exist or is too short, the "PRNG +not seeded" error message may occur. + +The openssl command line utility will write back a new state to the +default seeding file (and create this file if necessary) unless +there was no sufficient seeding. + +Pointing $RANDFILE to an Entropy Gathering Daemon socket does not work. +Use the "-rand" option of the OpenSSL command line tools instead. +The $RANDFILE environment variable and $HOME/.rnd are only used by the +OpenSSL command line tools. Applications using the OpenSSL library +provide their own configuration options to specify the entropy source, +please check out the documentation coming the with application. For Solaris 2.6, Tim Nibbe <tnibbe@sprint.net> and others have suggested installing the SUNski package from Sun patch 105710-01 (Sparc) which @@ -190,6 +211,18 @@ versions. However, be warned that /dev/random is usually a blocking device, which may have some effects on OpenSSL. +* Why do I get an "unable to write 'random state'" error message? + + +Sometimes the openssl command line utility does not abort with +a "PRNG not seeded" error message, but complains that it is +"unable to write 'random state'". This message refers to the +default seeding file (see previous answer). A possible reason +is that no default filename is known because neither RANDFILE +nor HOME is set. (Versions up to 0.9.6 used file ".rnd" in the +current directory in this case, but this has changed with 0.9.6a.) + + * How do I create certificates or certificate requests? Check out the CA.pl(1) manual page. This provides a simple wrapper round @@ -543,5 +576,12 @@ requiring a bi-directional message exchange; both SSL_read() and SSL_write() will try to continue any pending handshake. +* Why doesn't my server application receive a client certificate? + +Due to the TLS protocol definition, a client will only send a certificate, +if explicitely asked by the server. Use the SSL_VERIFY_PEER flag of the +SSL_CTX_set_verify() function to enable the use of client certificates. + + =============================================================================== |