[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: EGD not used?
OpenLDAP users,
I'm having a problem getting the TLS_RANDFILE directive to work (described
in previous email below), unless I'm not using it right. The manpage on
ldap.conf specifies that it is used by ldap clients:
DESCRIPTION
The ldap.conf configuration file is used to set system-wide
defaults to be applied when running ldap clients. If the
environment variable LDAPNOINIT is defined, all defaulting
is disabled.
However after configuring TLS_RANDFILE=/var/run/egd-pool (using PRNGD
here), I'm still receiving the following error when trying to intialize an
SSL connection to my ldap server:
bash-2.03# /usr/local/bin/ldapsearch -H ldaps://ldap.slb.com -b o=slb,c=an
alias=sromero dn
ldap_bind: Can't contact LDAP server
additional info: error:24064064:random number
generator:SSLEAY_RAND_BYTES:PRNG not seeded
Any ideas on the usage of this directive?
Thanks.
Regards,
Steve Romero
Re: EGD not used?
To: "Karl Bolingbroke" <karl.bolingbroke@flyingj.com>
Subject: Re: EGD not used?
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 04 Jan 2001 11:33:31 -0800
Cc: <openldap-software@OpenLDAP.org>
In-Reply-To: <000801c07681$523dbb50$54c610c0@kb.credit.flyingj.com>
OpenLDAP 2.0 can be configured to use an EGD or an arbitrary
file containing random bits via the ldap.conf TLS_RANDFILE
directive.
At 12:05 PM 1/4/01 -0700, Karl Bolingbroke wrote:
>Hi,
>I know that no one wants to see another message on "PRNG not
>seeded", but be patient. I'm running OpenLDAP 2.0.7 on
>HP-UX 11.00 with OpenSSL 0.9.6 and EGD 0.8. I've been
>testing for a while, and everything but SSL works just fine.
>Now I'm testing SSL connections, and I get the dreaded
>message "PRNG not seeded". This was quite a surprise to me
>since I'm also using EGD for OpenSSH, and it works just
>fine.
>
>I did a little debugging and found that when I use OpenSSH,
>it does request data from the EGD socket. Similar testing
>showed that OpenLDAP was NOT making a request to EGD. Both
>of these tests were run on the same machine, with the
>RANDFILE variable set to the EGD socket path.
>
>After great searching, I found a reference at
>http://www.mail-archive.com/openssl-users@openssl.org/msg070
>03.html saying that, in fact, OpenSSL only partially
>supports the use of EGD. This information was prior to the
>release of v0.9.6, but it appears to still be true. I did
>tests with the openssl command-line tool and found that it
>ignores both the RANDFILE environment variable and the
>RANDFILE directive in openssl.cnf. In order to get it to
>use the EGD socket, you have to pass it a "-rand" argument.
>
>So, has the OpenLDAP code taken this into account? When
>OpenLDAP calls OpenSSH routines, is there a way to make it
>pass the "-rand" argument as well? Is there another way to
>make OpenLDAP use EGD or is there another alternative to
>/dev/random that does work with OpenLDAP? Thanks for your
>help.
>
>Karl
>
>---------------------------------
>Karl Bolingbroke
>Flying J Inc.
>435-695-1233
>karl.bolingbroke@flyingj.com
>---------------------------------