[openssl-users] DH_generate_key Hangs

Jason Qian jqian at tibco.com
Thu Oct 5 14:43:43 UTC 2017


Here is the stack trace :

 libeay32.dll!RAND_poll  Normal
 [External Code]

 libeay32.dll!RAND_poll() Line 523
 libeay32.dll!ssleay_rand_bytes(unsigned char * buf, int num, int pseudo)
Line 395
 libeay32.dll!ssleay_rand_nopseudo_bytes(unsigned char * buf, int num) Line
536


Thanks
Jason



On Wed, Sep 27, 2017 at 2:02 PM, Michael Wojcik <
Michael.Wojcik at microfocus.com> wrote:

> > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On
> Behalf Of Jason Qian via openssl-users
> > Sent: Wednesday, September 27, 2017 07:00
> > To: openssl-users at openssl.org
> > Subject: [openssl-users] DH_generate_key Hangs
>
> > Need some help,  one of our application that hangs when calling
> > DH_generate_key (openssl-0.9.8y). This occurs randomly under loaded
> condition.
> > Not sure, if anyone know this issue ?
>
> The issue is running OpenSSL 0.9.8, which has not been supported since
> 2015.
>
> DH_generate_key can use an engine (at least in supported versions of
> OpenSSL - I no longer have any 0.9.8 code around to check), so we really
> can't say what it might be doing in your application. But if it's using the
> default OpenSSL implementation, then if your DH parameters don't already
> include a private key, you'll end up generating random numbers. That can
> hang, if OpenSSL is using a blocking CPRNG source such as /dev/random.
>
> But you haven't provided nearly enough information to do more than
> speculate.
>
> What you need to do:
>
> 1. Upgrade to OpenSSL 1.0.2 (or possibly 1.1.0, but that has API changes
> and isn't an LTS release). There's really no point in proceeding unless you
> do so. Your application is broken if it's using 0.9.8.
>
> 2. If the problem still occurs, debug a hanging instance and find out
> where *exactly* it's hung.
>
> --
> Michael Wojcik
> Distinguished Engineer, Micro Focus
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171005/978248ce/attachment.html>


More information about the openssl-users mailing list