Thanks for the explanation. So I guess I just got lucky with the first one. :) Do you have any kind of estimate of how long it will take to generate? > Date: Wed, 14 Jan 2015 13:27:55 +0000 > From: matt at openssl.org > To: openssl-users at openssl.org > Subject: Re: [openssl-users] Generating large DH parameters > > > > On 14/01/15 12:35, jack seth wrote: > > I am trying to generate a 16384 bit DH file for testing purposes. Is > > it necessary to have a '.rnd' in existence before trying to generate > > this file? I generated one which took 4 days to do but the computer had > > a .rnd file. I am currently trying to generate another on a system > > WITHOUT the .rnd file and it has been going 3 WEEKS so far. Did I just > > get lucky with the first DH file and it really can take this long (or > > longer) to make this file or does openssl really need the .rnd file to > > do this? > > The purpose of the .rnd file is to seed the random number generator with > entropy before you start. The built-in OpenSSL PRNG will attempt to seed > itself from various different sources dependent on the platform that you > are on, e.g. if you have a "/dev/urandom" then it will try to use it. > Some platforms may have very restricted access to entropy sources, and > on those platforms a .rnd file might be particularly useful. Assuming > you are using a relatively modern desktop machine this is unlikely to be > a problem for you. > > If the PRNG has not been seeded with sufficient entropy then it will > fail with the "PRNG not seeded" error: > https://www.openssl.org/support/faq.html#USER1 > > The fact that you have not seen that error means that the PRNG believes > it has been sufficiently seeded. The method that was used to seed the > PRNG will not have a subsequent impact on its performance. > > In other words, the presence or otherwise of the .rnd file will not > impact the performance once seeding is complete. > > The reason it is taking so long is that 16384 bits is GIGANTIC! > > Matt > > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150114/5c9dc77c/attachment.html>
