Yes, it's related to https://github.com/openssl/openssl/issues/16996, and yes - the same solution worked. There's something wrong with how PKCS#11 engine deals with (or presents itself as) rand provider. In any case, removing PKCS#11 engine from the [engines] section alleviated this problem. Thanks! P.S. I configured rand seed sources the standard way: "--with-rand-seed=rdcpu,os", as I think everybody does. -- Regards, Uri On 11/10/21, 06:03, "Nicola Tuveri" <nic.tuv@xxxxxxxxx> wrote: Just chiming in quickly to mention that this could be related to https://github.com/openssl/openssl/issues/16996 Nicola On Wed, Nov 10, 2021 at 10:33 AM Tomas Mraz <tomas@xxxxxxxxxxx> wrote: > > On Wed, 2021-11-10 at 03:38 +0000, Blumenthal, Uri - 0553 - MITLL > wrote: > > On 11/9/21, 22:23, "Dr Paul Dale" <pauli@xxxxxxxxxxx> wrote: > > > > > Currently I've no idea and can't reproduce locally :( > > > > Maybe you'd know how to force the "-engine rdrand" path through > > "openssl.cnf"? > > > > > A rogue configuration file could cause the DRBGs/seeds to fail. > > > Do you > > > have seed=rdrand line in the random section? That will cause > > > the > > > seeding source to fail to load at all. > > > > No, I don't - and providing empty config causes the same result: > > > > $ OPENSSL_CONF=/dev/null openssl3 rand -hex 4 > > $ OPENSSL_CONF=/dev/null openssl3 rand -engine rdrand -hex 4 > > Engine "rdrand" set. > > 61f1666d > > How did you configure the rand seed sources when building OpenSSL? I > think rather than trying to make the rdrand engine default it would > make more sense to try to resolve the problem with the rand provider > and its seeding. What is the exit code of the first execution of the > rand command? Could you try to run it under strace and/or gdb to > investigate? > -- > Tomáš Mráz > No matter how far down the wrong road you've gone, turn back. > Turkish proverb > [You'll know whether the road is wrong if you carefully listen to your > conscience.] > >
Attachment:
smime.p7s
Description: S/MIME cryptographic signature