[Date Prev][Date Next]
Re: EGD not used?
I'm having a problem getting the TLS_RANDFILE directive to work (described
in previous email below), unless I'm not using it right. The manpage on
ldap.conf specifies that it is used by ldap clients:
The ldap.conf configuration file is used to set system-wide
defaults to be applied when running ldap clients. If the
environment variable LDAPNOINIT is defined, all defaulting
However after configuring TLS_RANDFILE=/var/run/egd-pool (using PRNGD
here), I'm still receiving the following error when trying to intialize an
SSL connection to my ldap server:
bash-2.03# /usr/local/bin/ldapsearch -H ldaps://ldap.slb.com -b o=slb,c=an
ldap_bind: Can't contact LDAP server
additional info: error:24064064:random number
generator:SSLEAY_RAND_BYTES:PRNG not seeded
Any ideas on the usage of this directive?
Re: EGD not used?
To: "Karl Bolingbroke" <firstname.lastname@example.org>
Subject: Re: EGD not used?
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 04 Jan 2001 11:33:31 -0800
OpenLDAP 2.0 can be configured to use an EGD or an arbitrary
file containing random bits via the ldap.conf TLS_RANDFILE
At 12:05 PM 1/4/01 -0700, Karl Bolingbroke wrote:
>I know that no one wants to see another message on "PRNG not
>seeded", but be patient. I'm running OpenLDAP 2.0.7 on
>HP-UX 11.00 with OpenSSL 0.9.6 and EGD 0.8. I've been
>testing for a while, and everything but SSL works just fine.
>Now I'm testing SSL connections, and I get the dreaded
>message "PRNG not seeded". This was quite a surprise to me
>since I'm also using EGD for OpenSSH, and it works just
>I did a little debugging and found that when I use OpenSSH,
>it does request data from the EGD socket. Similar testing
>showed that OpenLDAP was NOT making a request to EGD. Both
>of these tests were run on the same machine, with the
>RANDFILE variable set to the EGD socket path.
>After great searching, I found a reference at
>03.html saying that, in fact, OpenSSL only partially
>supports the use of EGD. This information was prior to the
>release of v0.9.6, but it appears to still be true. I did
>tests with the openssl command-line tool and found that it
>ignores both the RANDFILE environment variable and the
>RANDFILE directive in openssl.cnf. In order to get it to
>use the EGD socket, you have to pass it a "-rand" argument.
>So, has the OpenLDAP code taken this into account? When
>OpenLDAP calls OpenSSH routines, is there a way to make it
>pass the "-rand" argument as well? Is there another way to
>make OpenLDAP use EGD or is there another alternative to
>/dev/random that does work with OpenLDAP? Thanks for your
>Flying J Inc.