Operating System - HP-UX
1748181 Members
3503 Online
108759 Solutions
New Discussion юеВ

Re: Apache, Open-ssl "PRNG not seeded" when making certificate,

 
SOLVED
Go to solution
Jim Loucks
Occasional Advisor

Apache, Open-ssl "PRNG not seeded" when making certificate,

In trying to get Apache and open-ssl running, one of the last steps is to "make certificate" in the ...apache/src directory. The make returns the following error:

13909:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:501:You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
13909:error:04069003:rsa routines:RSA_generate_key:BN lib:rsa_gen.c:182:

In looking at the above URL in the error message, I was led to this page:

http://www.apache-ssl.org/docs.html#SSLRandomFile

Which gives this example:

SSLRandomFile file /dev/urandom 1024

I can't figure out what that means or what I'm supposed to do with it. I've changed a line in the Configuration file from:

Rule DEV_RANDOM=default

to
Rule DEV_RANDOM=truerand

But still cannot make the certificate. The /dev/urandom device (nor /dev/random) exist on this box.

8 REPLIES 8
Jim Loucks
Occasional Advisor

Re: Apache, Open-ssl "PRNG not seeded" when making certificate,

Whoops. Got a typo in my first post. The /dev/random and /dev/urandom devices do NOT exist on this system.
Jeff Schussele
Honored Contributor

Re: Apache, Open-ssl "PRNG not seeded" when making certificate,

Jim,

This earlier thread might help:

http://forums.itrc.hp.com/cm/QuestionAnswer/1,,0x05c50bce6f33d6118fff0090279cd0f9,00.html

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Jim Loucks
Occasional Advisor

Re: Apache, Open-ssl "PRNG not seeded" when making certificate,

Thanks, Jeff. I tried something similar before posting to no avail. Then I tried what was recommended in the thread you pointed me to, only to get the same error.
Sridhar Bhaskarla
Honored Contributor

Re: Apache, Open-ssl "PRNG not seeded" when making certificate,

Hi Jim,

I created my own certicate using the following process.

#cd /opt/apache/ssl
#./openssl req -new -keyout myprivate.key -out mypublic.csr
Answer few questions here...
#./openssl rsa -in myprivate.key -out my.cert.key
#./openssl x509 -in mypublic.csr -out my.cert.cert -req -signkey my.cert.key -d
ays 365

This worked for me.

-Sri

You may be disappointed if you fail, but you are doomed if you don't try
Jeff Schussele
Honored Contributor

Re: Apache, Open-ssl "PRNG not seeded" when making certificate,

Jim,

Well, w/o /dev/random ( as almost all other flavors have) we HPers are stuck with random(3m) which of course is ueseless cryptographically.
Good luck - I suggest you call/write the Apache folks & gently remind them you're installing on HP-UX & ask them what the heck you're supposed to do w/o a /dev/random?

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
Jim Loucks
Occasional Advisor

Re: Apache, Open-ssl "PRNG not seeded" when making certificate,

Jeff - I'll probably have to do that. Thanks.

Sri,

When I try what was successful for you I get the same error:

./openssl req -new -keyout myprivate.key -out mypublic.csr
Using configuration from /usr/local/ssl/openssl.cnf
unable to load 'random state'
This means that the random number generator has not been seeded
with much random data.
Generating a 1024 bit RSA private key
14805:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:501:You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
14805:error:04069003:rsa routines:RSA_generate_key:BN lib:rsa_gen.c:182:


Sridhar Bhaskarla
Honored Contributor
Solution

Re: Apache, Open-ssl "PRNG not seeded" when making certificate,

Hi Jim,

Sorry I didn't read your message clearly. I knew I had this problem as on HP you don't have /dev/random. There is a work around for it if I remember correctly, it will initialize a .rnd file in root's home.

Take three more test files and compress them. You can use files like /var/adm/sw/swagent.log etc.,

Use the command

#openssl genrsa -des3 -rand file1.Z:file2.Z:file3.Z -out my.key 1024.

After generating the key, verify if you have the file .rnd in your home directory. You should not get this error from then onwards.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Jim Loucks
Occasional Advisor

Re: Apache, Open-ssl "PRNG not seeded" when making certificate,

Thanks, Sri. That did it. I was working on a similar idea but didn't know about the .rnd file. Is this documented somewhere?