PRNG not available when multiple providers are configured?

Tomas Mraz tmraz at redhat.com
Tue Nov 3 18:03:37 UTC 2020


On Tue, 2020-11-03 at 15:13 +0000, Matt Caswell wrote:
> 
> The reasons are a little complicated (see below) but the TL;DR
> summary
> is that there is an error in your config file. The ".include" line
> should specify a config file relative to OPENSSLDIR (or
> OPENSSL_CONF_INCLUDE if it is set). It cannot be an absolute path,
> and
> hence fips.cnf is not being found.
> 
> I've seen this error a few times now so I'm thinking that we should
> perhaps allow absolute paths. I'm not sure what the reason for
> disallowing them was.

This is actually a regression. The absolute paths worked fine in 1.1.1
but it is also not clear to me why an absolute path would not work even
with the current master unless you set OPENSSL_CONF_INCLUDE. The
OPENSSL_CONF_INCLUDE is unconditionally prepended to the include path
so that is the reason why absolute paths do not work properly if you
set OPENSSL_CONF_INCLUDE.

-- 
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]




More information about the openssl-users mailing list