OpenSSL-3.+ how to configure [random]?

Tomas Mraz tomas at
Wed Nov 10 08:32:41 UTC 2021

On Wed, 2021-11-10 at 03:38 +0000, Blumenthal, Uri - 0553 - MITLL
> On 11/9/21, 22:23, "Dr Paul Dale" <pauli at> wrote:
> >    Currently I've no idea and can't reproduce locally :(
> Maybe you'd know how to force the "-engine rdrand" path through
> "openssl.cnf"?
> >    A rogue configuration file could cause the DRBGs/seeds to fail. 
> > Do you 
> >    have seed=rdrand line in the random section?  That will cause
> > the 
> >    seeding source to fail to load at all.
> No, I don't - and providing empty config causes the same result:
> $ OPENSSL_CONF=/dev/null openssl3 rand -hex 4
> $ OPENSSL_CONF=/dev/null openssl3 rand -engine rdrand -hex 4
> Engine "rdrand" set.
> 61f1666d

How did you configure the rand seed sources when building OpenSSL? I
think rather than trying to make the rdrand engine default it would
make more sense to try to resolve the problem with the rand provider
and its seeding. What is the exit code of the first execution of the
rand command? Could you try to run it under strace and/or gdb to
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your

More information about the openssl-users mailing list