OpenSSL-3.+ how to configure [random]?

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Wed Nov 10 15:36:25 UTC 2021 

Yes, it's related to https://github.com/openssl/openssl/issues/16996, and yes - the same solution worked.

There's something wrong with how PKCS#11 engine deals with (or presents itself as) rand provider.
In any case, removing PKCS#11 engine from the [engines] section alleviated this problem.

Thanks!

P.S. I configured rand seed sources the standard way: "--with-rand-seed=rdcpu,os", as I think everybody does.
-- 
Regards,
Uri
 

On 11/10/21, 06:03, "Nicola Tuveri" <nic.tuv at gmail.com> wrote:

    Just chiming in quickly to mention that this could be related to
    https://github.com/openssl/openssl/issues/16996

    Nicola

    On Wed, Nov 10, 2021 at 10:33 AM Tomas Mraz <tomas at openssl.org> wrote:
    >
    > On Wed, 2021-11-10 at 03:38 +0000, Blumenthal, Uri - 0553 - MITLL
    > wrote:
    > > On 11/9/21, 22:23, "Dr Paul Dale" <pauli at openssl.org> wrote:
    > >
    > > >    Currently I've no idea and can't reproduce locally :(
    > >
    > > Maybe you'd know how to force the "-engine rdrand" path through
    > > "openssl.cnf"?
    > >
    > > >    A rogue configuration file could cause the DRBGs/seeds to fail.
    > > > Do you
    > > >    have seed=rdrand line in the random section?  That will cause
    > > > the
    > > >    seeding source to fail to load at all.
    > >
    > > No, I don't - and providing empty config causes the same result:
    > >
    > > $ OPENSSL_CONF=/dev/null openssl3 rand -hex 4
    > > $ OPENSSL_CONF=/dev/null openssl3 rand -engine rdrand -hex 4
    > > Engine "rdrand" set.
    > > 61f1666d
    >
    > How did you configure the rand seed sources when building OpenSSL? I
    > think rather than trying to make the rdrand engine default it would
    > make more sense to try to resolve the problem with the rand provider
    > and its seeding. What is the exit code of the first execution of the
    > rand command? Could you try to run it under strace and/or gdb to
    > investigate?
    > --
    > Tomáš Mráz
    > No matter how far down the wrong road you've gone, turn back.
    >                                               Turkish proverb
    > [You'll know whether the road is wrong if you carefully listen to your
    > conscience.]
    >
    >
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5249 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20211110/7a5ab752/attachment-0001.bin>

More information about the openssl-users mailing list