unsubscribe
From: openssl-users <openssl-users-bounces@xxxxxxxxxxx> on behalf of Dr Paul Dale <pauli@xxxxxxxxxxx>
Sent: Wednesday, November 10, 2021 2:20:03 PM
To: openssl-users@xxxxxxxxxxx <openssl-users@xxxxxxxxxxx>
Subject: Re: OpenSSL-3.+ how to configure [random]?
Sent: Wednesday, November 10, 2021 2:20:03 PM
To: openssl-users@xxxxxxxxxxx <openssl-users@xxxxxxxxxxx>
Subject: Re: OpenSSL-3.+ how to configure [random]?
I'm pretty sure the underlying problem is that there is a call to
RAND_set_rand_method() or RAND_set_rand_engine() occurring (likely the
latter).
These completely replace the built in RNG infrastructure with the
RAND_METHOD/engine. If the engine then fails to produce output for any
reason, the observed results will present.
Adding the RDRAND engine again replaces the RAND_METHOD and things begin
working.
I've no idea why the PKCS#11 engine has stopped working with 3.0. It
wasn't meant to.
Pauli
On 11/11/21 1:36 am, Blumenthal, Uri - 0553 - MITLL wrote:
> Yes, it's related to https://nam12.safelinks.protection.outlook.com/?url="">, and yes - the same solution worked.
>
> There's something wrong with how PKCS#11 engine deals with (or presents itself as) rand provider.
> In any case, removing PKCS#11 engine from the [engines] section alleviated this problem.
>
> Thanks!
>
> P.S. I configured rand seed sources the standard way: "--with-rand-seed=rdcpu,os", as I think everybody does.
RAND_set_rand_method() or RAND_set_rand_engine() occurring (likely the
latter).
These completely replace the built in RNG infrastructure with the
RAND_METHOD/engine. If the engine then fails to produce output for any
reason, the observed results will present.
Adding the RDRAND engine again replaces the RAND_METHOD and things begin
working.
I've no idea why the PKCS#11 engine has stopped working with 3.0. It
wasn't meant to.
Pauli
On 11/11/21 1:36 am, Blumenthal, Uri - 0553 - MITLL wrote:
> Yes, it's related to https://nam12.safelinks.protection.outlook.com/?url="">, and yes - the same solution worked.
>
> There's something wrong with how PKCS#11 engine deals with (or presents itself as) rand provider.
> In any case, removing PKCS#11 engine from the [engines] section alleviated this problem.
>
> Thanks!
>
> P.S. I configured rand seed sources the standard way: "--with-rand-seed=rdcpu,os", as I think everybody does.
