[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: EGD not used?

OpenLDAP 2.0 can be configured to use an EGD or an arbitrary
file containing random bits via the ldap.conf TLS_RANDFILE

At 12:05 PM 1/4/01 -0700, Karl Bolingbroke wrote:
>I know that no one wants to see another message on "PRNG not
>seeded", but be patient.  I'm running OpenLDAP 2.0.7 on
>HP-UX 11.00 with OpenSSL 0.9.6 and EGD 0.8.  I've been
>testing for a while, and everything but SSL works just fine.
>Now I'm testing SSL connections, and I get the dreaded
>message "PRNG not seeded".  This was quite a surprise to me
>since I'm also using EGD for OpenSSH, and it works just
>I did a little debugging and found that when I use OpenSSH,
>it does request data from the EGD socket.  Similar testing
>showed that OpenLDAP was NOT making a request to EGD.  Both
>of these tests were run on the same machine, with the
>RANDFILE variable set to the EGD socket path.
>After great searching, I found a reference at
>03.html saying that, in fact, OpenSSL only partially
>supports the use of EGD.  This information was prior to the
>release of v0.9.6, but it appears to still be true.  I did
>tests with the openssl command-line tool and found that it
>ignores both the RANDFILE environment variable and the
>RANDFILE directive in openssl.cnf.  In order to get it to
>use the EGD socket, you have to pass it a "-rand" argument.
>So, has the OpenLDAP code taken this into account?  When
>OpenLDAP calls OpenSSH routines, is there a way to make it
>pass the "-rand" argument as well?  Is there another way to
>make OpenLDAP use EGD or is there another alternative to
>/dev/random that does work with OpenLDAP?  Thanks for your
>Karl Bolingbroke
>Flying J Inc.