[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: EGD not used?

OpenLDAP users,

I'm having a problem getting the TLS_RANDFILE directive to work (described in previous email below), unless I'm not using it right. The manpage on ldap.conf specifies that it is used by ldap clients:

     The ldap.conf configuration file is used to set  system-wide
     defaults  to  be  applied when running ldap clients.  If the
     environment variable LDAPNOINIT is defined,  all  defaulting
     is disabled.

However after configuring TLS_RANDFILE=/var/run/egd-pool (using PRNGD here), I'm still receiving the following error when trying to intialize an SSL connection to my ldap server:

bash-2.03# /usr/local/bin/ldapsearch -H ldaps://ldap.slb.com -b o=slb,c=an alias=sromero dn
ldap_bind: Can't contact LDAP server
additional info: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded

Any ideas on the usage of this directive?


Steve Romero

Re: EGD not used?

     To: "Karl Bolingbroke" <karl.bolingbroke@flyingj.com>
     Subject: Re: EGD not used?
     From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
     Date: Thu, 04 Jan 2001 11:33:31 -0800
     Cc: <openldap-software@OpenLDAP.org>
     In-Reply-To: <000801c07681$523dbb50$54c610c0@kb.credit.flyingj.com>

OpenLDAP 2.0 can be configured to use an EGD or an arbitrary
file containing random bits via the ldap.conf TLS_RANDFILE

At 12:05 PM 1/4/01 -0700, Karl Bolingbroke wrote: >Hi, >I know that no one wants to see another message on "PRNG not >seeded", but be patient. I'm running OpenLDAP 2.0.7 on >HP-UX 11.00 with OpenSSL 0.9.6 and EGD 0.8. I've been >testing for a while, and everything but SSL works just fine. >Now I'm testing SSL connections, and I get the dreaded >message "PRNG not seeded". This was quite a surprise to me >since I'm also using EGD for OpenSSH, and it works just >fine. > >I did a little debugging and found that when I use OpenSSH, >it does request data from the EGD socket. Similar testing >showed that OpenLDAP was NOT making a request to EGD. Both >of these tests were run on the same machine, with the >RANDFILE variable set to the EGD socket path. > >After great searching, I found a reference at >http://www.mail-archive.com/openssl-users@openssl.org/msg070 >03.html saying that, in fact, OpenSSL only partially >supports the use of EGD. This information was prior to the >release of v0.9.6, but it appears to still be true. I did >tests with the openssl command-line tool and found that it >ignores both the RANDFILE environment variable and the >RANDFILE directive in openssl.cnf. In order to get it to >use the EGD socket, you have to pass it a "-rand" argument. > >So, has the OpenLDAP code taken this into account? When >OpenLDAP calls OpenSSH routines, is there a way to make it >pass the "-rand" argument as well? Is there another way to >make OpenLDAP use EGD or is there another alternative to >/dev/random that does work with OpenLDAP? Thanks for your >help. > >Karl > >--------------------------------- >Karl Bolingbroke >Flying J Inc. >435-695-1233 >karl.bolingbroke@flyingj.com >---------------------------------