[openssl-users] DH_generate_key Hangs

Michael Wojcik Michael.Wojcik at microfocus.com
Thu Oct 5 23:45:37 UTC 2017

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Jeffrey Walton
> Sent: Thursday, October 05, 2017 13:33
> To: Jason Qian; OpenSSL Users
> Subject: Re: [openssl-users] DH_generate_key Hangs
> You should avoid calls to RAND_poll altogether on Windows. Do so by
> explicitly seeding the random number generator yourself.

As a starting point, try something like this:

static ENGINE *rdrand;

void init_prng(void) {
    /* Try to seed the PRNG with the Intel RDRAND on-chip PRNG */
    rdrand = ENGINE_by_id("rdrand");
    if (rdrand) {
        int success = 0;
        if (ENGINE_init(rdrand)) {
            success = ENGINE_set_default(rdrand, ENGINE_METHOD_RAND);

        Per OpenSSL wiki, call ENGINE_free here regardless of whether we're
        successfully using rdrand. The "functional reference" to rdrand will
        be released when we call ENGINE_finish.
        if (! success) ENGINE_finish(rdrand), rdrand = NULL;

    if (!rdrand && !RAND_status()){
      RAND_screen();   /* this isn't really emough entropy, but it's a start */
      if (!RAND_status()) {
         RAND_poll();      /* try to gather additional entropy */

void terminate_engines(void) {
   if (rdrand) ENGINE_finish(rdrand), rdrand = NULL;
   /* similarly for any other engines you use */

Call init_prng after your OpenSSL initialization code (e.g. after calling OpenSSL_add_all_algorithms), and terminate_engines when you're done using OpenSSL (e.g. just before process exit).

Note that this code uses RAND_screen if RDRAND isn't available. RAND_screen is really not a very good idea; it may be OK on workstations, but rarely provides much entropy on servers because they typically aren't doing much screen output. And if you still need entropy after the RAND_screen call, you'll end up in RAND_poll anyway. The alternative is to write your own code that harvests entropy from some source (or sources).

Other people may have better suggestions.

Michael Wojcik 
Distinguished Engineer, Micro Focus 

More information about the openssl-users mailing list