This is a multi-part message in MIME format.

------=_NextPart_000_008B_01C854CD.2C0FA1F0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

The easiest way is to have the user install a random device. There's ones
out there
for Solaris all the way back to version 2.5.1

However, keep in mind that all but the latest /dev/random devices out there
do
not generate very good random numbers, the newer ones use the Yarrow engine,
but the very best ones also derive randomness from the hardware random
number
generators on some of the CPUs (ie: the VIA C3 Nehemiah, the Intel 82802
ie x810 chipset) or from devices like the following SG100:

http://www.protego.se/sg100_en.htm

Ted
-----Original Message-----
From: owner-openssl-users@openssl.org
[mailtowner-openssl-users@openssl.org]On Behalf Of Urjit Gokhale
Sent: Monday, January 07, 2008 1:06 AM
To: openssl-users@openssl.org
Subject: Handling missing random number generator


Hello,

I observed that on few platforms, the random device is missing. Due to
this, the SSL_connect fails. I would have to use -rand option of s_client
for successful connection.
On such platforms, even my client application fails due to the missing
random number generator device.
For eg. On my solaris box, my client fails and truss gives the following
output:
=============
0.0999 open("/dev/urandom", O_RDONLY|O_NONBLOCK|O_NOCTTY) Err#2 ENOENT
0.1003 open("/dev/random", O_RDONLY|O_NONBLOCK|O_NOCTTY) Err#2 ENOENT
0.1007 open("/dev/srandom", O_RDONLY|O_NONBLOCK|O_NOCTTY) Err#2 ENOENT
0.1013 so_socket(1, 2, 0, "", 1) = 5
0.1018 connect(5, 0xFFBEE3F8, 19, 1) Err#2 ENOENT
0.1021 close(5) = 0
0.1025 so_socket(1, 2, 0, "", 1) = 5
0.1029 connect(5, 0xFFBEE3F8, 15, 1) Err#2 ENOENT
0.1032 close(5) = 0
0.1035 so_socket(1, 2, 0, "", 1) = 5
0.1039 connect(5, 0xFFBEE3F8, 15, 1) Err#2 ENOENT
0.1041 close(5) = 0
0.1046 so_socket(1, 2, 0, "", 1) = 5
0.1050 connect(5, 0xFFBEE3F8, 14, 1) Err#2 ENOENT

=============
And then the SSL_connect fails with SSL_ERROR_SYSCALL and errno set to 2.

In such cases, I had thought of using RAND_write_file() followed by
RAND_load_file() just after loading required libraries
(SSL_load_error_strings, SSL_library_init).

Do you think this is sensible approach? If not, could you suggest ways to
deal with situations when the random device is missing?
If yes, I have another question. How to detect, programatically if the
random device is missing? The RAND_write_file() and RAND_load_file() should
be used only if the random device is missing, right?

Any help in understanding this is highly appriciated.

Thank you,
~ Urjit
DISCLAIMER ========== This e-mail may contain privileged and confidential
information which is the property of Persistent Systems Ltd. It is intended
only for the use of the individual or entity to which it is addressed. If
you are not the intended recipient, you are not authorized to read, retain,
copy, print, distribute or use this message. If you have received this
communication in error, please notify the sender and delete all copies of
this message. Persistent Systems Ltd. does not accept any liability for
virus infected mails.

------=_NextPart_000_008B_01C854CD.2C0FA1F0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable



charset=3Diso-8859-1">




size=3D2>The=20
easiest way is to have the user install a random device.  There's =
ones out=20
there

size=3D2>for=20
Solaris all the way back to version 2.5.1


size=3D2>
 


size=3D2>However, keep in mind that all but the latest /dev/random =
devices out=20
there do

size=3D2>not=20
generate very good random numbers, the newer ones use the Yarrow=20
engine,

size=3D2>but=20
the very best ones also derive randomness from the hardware random=20
number


size=3D2>generators on some of the CPUs (ie: the VIA C3 Nehemiah, the =
Intel=20
82802

size=3D2>ie=20
x810 chipset) or from
class=3D773235910-12012008> face=3DArial color=3D#0000ff size=3D2>devices like the following=20
SG100:


size=3D2>
 

size=3D2> href=3D"http://www.protego.se/sg100_en.htm">http://www.protego.se/sg100_e=
n.htm


size=3D2>
 


size=3D2>Ted

style=3D"PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px =
solid; MARGIN-RIGHT: 0px">
face=3DTahoma=20
size=3D2>-----Original Message-----
From:=20
owner-openssl-users@openssl.org =
[mailtowner-openssl-users@openssl.org]On=20
Behalf Of
Urjit Gokhale
Sent: Monday, January 07, 2008 =
1:06=20
AM
To: openssl-users@openssl.org
Subject: Handling =
missing=20
random number generator



Hello,

 

I observed that on few platforms, =
the random=20
device is missing. Due to this, the SSL_connect fails. I would have to =
use=20
-rand option of s_client for successful connection.

On such platforms, even my client =
application=20
fails due to the missing random number generator device.

For eg. On my solaris box, my =
client fails and=20
truss gives the following output:

size=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

 0.0999 open("/dev/urandom",=20
O_RDONLY|O_NONBLOCK|O_NOCTTY) Err#2 ENOENT
 0.1003 =
open("/dev/random",=20
O_RDONLY|O_NONBLOCK|O_NOCTTY) Err#2 ENOENT
 0.1007=20
open("/dev/srandom", O_RDONLY|O_NONBLOCK|O_NOCTTY) Err#2=20
ENOENT
 0.1013 so_socket(1, 2, 0, "",=20
=
1)           &nbsp=
;          =20
=3D 5
 0.1018 connect(5, 0xFFBEE3F8, 19,=20
=
1)           &nbsp=
;      =20
Err#2 ENOENT
 0.1021=20
=
close(5)          &nbsp=
;            =
            &=
nbsp;   =20
=3D 0
 0.1025 so_socket(1, 2, 0, "",=20
=
1)           &nbsp=
;          =20
=3D 5
 0.1029 connect(5, 0xFFBEE3F8, 15,=20
=
1)           &nbsp=
;      =20
Err#2 ENOENT
 0.1032=20
=
close(5)          &nbsp=
;            =
            &=
nbsp;   =20
=3D 0
 0.1035 so_socket(1, 2, 0, "",=20
=
1)           &nbsp=
;          =20
=3D 5
 0.1039 connect(5, 0xFFBEE3F8, 15,=20
=
1)           &nbsp=
;      =20
Err#2 ENOENT
 0.1041=20
=
close(5)          &nbsp=
;            =
            &=
nbsp;   =20
=3D 0
 0.1046 so_socket(1, 2, 0, "",=20
=
1)           &nbsp=
;          =20
=3D 5
 0.1050 connect(5, 0xFFBEE3F8, 14,=20
=
1)           &nbsp=
;      =20
Err#2 ENOENT

size=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

 And then the SSL_connect fails with SSL_ERROR_SYSCALL and =
errno set=20
to 2.

 

In such cases, I had thought of =
using=20
RAND_write_file() followed by RAND_load_file() just after =
loading=20
required libraries (SSL_load_error_strings, =
SSL_library_init).

 

Do you think this is sensible =
approach? If not,=20
could you suggest ways to deal with situations when the random device =
is=20
missing?

If yes, I have another question. =
How to detect,=20
programatically if the random device is missing? The=20
RAND_write_file() and RAND_load_file() should be used only if the =
random=20
device is missing, right?

 

Any help in understanding =
this is highly=20
appriciated.

 

Thank =
you,

~ Urjit size=3D+0>

DISCLAIMER =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D This e-mail may contain =
privileged and confidential=20
information which is the property of Persistent Systems Ltd. It is =
intended=20
only for the use of the individual or entity to which it is addressed. =
If you=20
are not the intended recipient, you are not authorized to read, =
retain, copy,=20
print, distribute or use this message. If you have received this =
communication=20
in error, please notify the sender and delete all copies of this =
message.=20
Persistent Systems Ltd. does not accept any liability for virus =
infected=20
mails.



------=_NextPart_000_008B_01C854CD.2C0FA1F0--

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org