Newbie with RANDFILE

OK, I give up. What am I doing wrong? Apache 2.036 trying to on Solaris 8. Everything seems fine during install. egd working. Random file is /var/spool/prngd/pool. Pointed the RANDFILE at the file in openssl.conf. but keep getting the following.

I searched the archives but no luck.

../CA.sh -newca

Making CA certificate ...
Using configuration from /usr/local/ssl/openssl.cnf
unable to load 'random state'
This means that the random number generator has not been seeded
with much random data.
Consider setting the RANDFILE environment variable to point at a file that
'random' data can be kept in (the file will be overwritten).
Generating a 1024 bit RSA private key
10175:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:501:You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
10175:error:04069003:rsa routines:RSA_generate_key:BN lib:rsa_gen.c:182:

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Newbie with RANDFILE

I just went went through this!

It may have to do with the fact that Solaris 8 and below does not have
support for random number generation.
http://wwws.sun.com/software/solaris/fcc/fcc.html

After several hours of frustration, I found some instructions that work!
I'll save you some grief:

You must install Openssl if you have not already. I'm using
OpenSSL 0.9.6c 21 dec 2001.

Openssl would normally be installed in /usr/local ... be sure and
update your $PATH to include /usr/local/ssl/bin.

While in /usr/local/ssl/misc:

1. Using vi, create file named rand.text
(just a text file with 5 or so lines of random characters).
2. openssl des3 -in rand.text -out rand.dat
3. openssl genrsa -des3 -out server.key 1024
4. openssl req -new -key server.key -out server.csr
5. openssl x509 -req -days 365 -in server.csr -signkey
server.key -out server.crt
6. I used the ssl.conf file to start with (cp ssl.conf httpd.conf)
7. add User nobody Group nobody to httpd.conf
8. point SSLCertificateFile and SSLCertificateKeyFile to appropriate path
in the httpd.conf file
9. ./apachectl startssl

It worked for me. Let me know how it goes.

Thanks
Jim



----- Original Message -----
From: "Jeff Landers"
To:
Sent: Thursday, June 06, 2002 5:36 PM
Subject: Newbie with RANDFILE


> OK, I give up. What am I doing wrong? Apache 2.036 trying to on Solaris 8.
Everything seems fine during install. egd working. Random file is
/var/spool/prngd/pool. Pointed the RANDFILE at the file in openssl.conf. but
keep getting the following.
>
> I searched the archives but no luck.
>
> ./CA.sh -newca
>
> Making CA certificate ...
> Using configuration from /usr/local/ssl/openssl.cnf
> unable to load 'random state'
> This means that the random number generator has not been seeded
> with much random data.
> Consider setting the RANDFILE environment variable to point at a file that
> 'random' data can be kept in (the file will be overwritten).
> Generating a 1024 bit RSA private key
> 10175:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not
seeded:md_rand.c:501:You need to read the OpenSSL FAQ,
http://www.openssl.org/support/faq.html
> 10175:error:04069003:rsa routines:RSA_generate_key:BN lib:rsa_gen.c:182:
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Newbie with RANDFILE

Wow, it says right in your error output:

> 10175:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not
seeded:md_rand.c:501:You need to read the OpenSSL FAQ,
http://www.openssl.org/support/faq.html

And from the FAQ [USER] Section 1:

Pointing $RANDFILE to an Entropy Gathering Daemon socket does not work. Use
the "-rand" option of the OpenSSL command line tools instead.

----- Original Message -----
From: "Jeff Landers"
To:
Sent: Thursday, June 06, 2002 3:36 PM
Subject: Newbie with RANDFILE


> OK, I give up. What am I doing wrong? Apache 2.036 trying to on Solaris 8.
Everything seems fine during install. egd working. Random file is
/var/spool/prngd/pool. Pointed the RANDFILE at the file in openssl.conf. but
keep getting the following.
>
> I searched the archives but no luck.
>
> ./CA.sh -newca
>
> Making CA certificate ...
> Using configuration from /usr/local/ssl/openssl.cnf
> unable to load 'random state'
> This means that the random number generator has not been seeded
> with much random data.
> Consider setting the RANDFILE environment variable to point at a file that
> 'random' data can be kept in (the file will be overwritten).
> Generating a 1024 bit RSA private key
> 10175:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not
seeded:md_rand.c:501:You need to read the OpenSSL FAQ,
http://www.openssl.org/support/faq.html
> 10175:error:04069003:rsa routines:RSA_generate_key:BN lib:rsa_gen.c:182:
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Newbie with RANDFILE

They have a path for solaris 8 that adds /dev/random now just for info
Patch # 112438-01

At 03:58 PM 6/6/2002 -0600, Tim Pushor wrote:
>Wow, it says right in your error output:
>
> > 10175:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not
>seeded:md_rand.c:501:You need to read the OpenSSL FAQ,
>http://www.openssl.org/support/faq.html
>
>And from the FAQ [USER] Section 1:
>
>Pointing $RANDFILE to an Entropy Gathering Daemon socket does not work. Use
>the "-rand" option of the OpenSSL command line tools instead.
>
>----- Original Message -----
>From: "Jeff Landers"
>To:
>Sent: Thursday, June 06, 2002 3:36 PM
>Subject: Newbie with RANDFILE
>
>
> > OK, I give up. What am I doing wrong? Apache 2.036 trying to on Solaris 8.
>Everything seems fine during install. egd working. Random file is
>/var/spool/prngd/pool. Pointed the RANDFILE at the file in openssl.conf. but
>keep getting the following.
> >
> > I searched the archives but no luck.
> >
> > ./CA.sh -newca
> >
> > Making CA certificate ...
> > Using configuration from /usr/local/ssl/openssl.cnf
> > unable to load 'random state'
> > This means that the random number generator has not been seeded
> > with much random data.
> > Consider setting the RANDFILE environment variable to point at a file that
> > 'random' data can be kept in (the file will be overwritten).
> > Generating a 1024 bit RSA private key
> > 10175:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not
>seeded:md_rand.c:501:You need to read the OpenSSL FAQ,
>http://www.openssl.org/support/faq.html
> > 10175:error:04069003:rsa routines:RSA_generate_key:BN lib:rsa_gen.c:182:
> >
> > ____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager majordomo@modssl.org
> >
>
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org

Ian Miller
BSD/IS-BMI Computing
Sr. System Engineer
University of Chicago
imiller@bsd.uchicago.edu

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org