PRNG not available when multiple providers are configured?
Matt Caswell
matt at openssl.org
Wed Nov 4 08:46:11 UTC 2020
On 03/11/2020 18:03, Tomas Mraz wrote:
> On Tue, 2020-11-03 at 15:13 +0000, Matt Caswell wrote:
>>
>> The reasons are a little complicated (see below) but the TL;DR
>> summary
>> is that there is an error in your config file. The ".include" line
>> should specify a config file relative to OPENSSLDIR (or
>> OPENSSL_CONF_INCLUDE if it is set). It cannot be an absolute path,
>> and
>> hence fips.cnf is not being found.
>>
>> I've seen this error a few times now so I'm thinking that we should
>> perhaps allow absolute paths. I'm not sure what the reason for
>> disallowing them was.
>
> This is actually a regression. The absolute paths worked fine in 1.1.1
> but it is also not clear to me why an absolute path would not work even
> with the current master unless you set OPENSSL_CONF_INCLUDE. The
> OPENSSL_CONF_INCLUDE is unconditionally prepended to the include path
> so that is the reason why absolute paths do not work properly if you
> set OPENSSL_CONF_INCLUDE.
>
This is indeed the case in my environment. I did have
OPENSSL_CONF_INCLUDE set - but I would expect an absolute path to
override it.
Matt
More information about the openssl-users
mailing list