[Date Prev][Date Next]
Re: EGD not used?
OpenLDAP 2.0 can be configured to use an EGD or an arbitrary
file containing random bits via the ldap.conf TLS_RANDFILE
At 12:05 PM 1/4/01 -0700, Karl Bolingbroke wrote:
>I know that no one wants to see another message on "PRNG not
>seeded", but be patient. I'm running OpenLDAP 2.0.7 on
>HP-UX 11.00 with OpenSSL 0.9.6 and EGD 0.8. I've been
>testing for a while, and everything but SSL works just fine.
>Now I'm testing SSL connections, and I get the dreaded
>message "PRNG not seeded". This was quite a surprise to me
>since I'm also using EGD for OpenSSH, and it works just
>I did a little debugging and found that when I use OpenSSH,
>it does request data from the EGD socket. Similar testing
>showed that OpenLDAP was NOT making a request to EGD. Both
>of these tests were run on the same machine, with the
>RANDFILE variable set to the EGD socket path.
>After great searching, I found a reference at
>03.html saying that, in fact, OpenSSL only partially
>supports the use of EGD. This information was prior to the
>release of v0.9.6, but it appears to still be true. I did
>tests with the openssl command-line tool and found that it
>ignores both the RANDFILE environment variable and the
>RANDFILE directive in openssl.cnf. In order to get it to
>use the EGD socket, you have to pass it a "-rand" argument.
>So, has the OpenLDAP code taken this into account? When
>OpenLDAP calls OpenSSH routines, is there a way to make it
>pass the "-rand" argument as well? Is there another way to
>make OpenLDAP use EGD or is there another alternative to
>/dev/random that does work with OpenLDAP? Thanks for your
>Flying J Inc.
- EGD not used?
- From: "Karl Bolingbroke" <firstname.lastname@example.org>