Skip site navigation (1)Skip section navigation (2) 
Date:      10 Dec 2001 18:23:32 +0100
From:      "clemensF" <ino-waiting@gmx.net>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   kern/32675: problem using /dev/random in openssl -rand
Message-ID:  <20011210182332.V905@spotteswoode.dnsalias.org>
next in thread | raw e-mail | index | archive | help 

>Number:         32675
>Category:       kern
>Synopsis:       openssl dhparam hangs when using /dev/random as entropy source
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Dec 10 09:30:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator:     clemens fischer
>Release:        FreeBSD 4.3-RELEASE i386
>Organization:
<organization of PR author (multiple lines)>
>Environment:
System: FreeBSD spotteswoode.dnsalias.org 4.3-RELEASE FreeBSD 4.3-RELEASE
#11: Sat Sep 1 00:49:59 CEST 2001
root@spotteswoode.yi.org:/usr/src/sys/compile/n1 i386

>Description:

i wanted to create a set of diffie-helman paramters for later key
generation using the following commands, and i wanted to seed
openssl-0.9.6b's PRNG using /dev/[u]random:

#openssl dhparam -outform PEM -out /l/ssl/pem/dh1024.pem -5 \
		-rand /dev/random:/dev/urandom 1024
^C

#openssl dhparam -outform PEM -in /dev/null -out /l/ssl/pem/dh512.pem -2 \
		-rand /dev/urandom
Killed

>How-To-Repeat:

using /dev/random to seed openssl in this particuliar application will
always make openssl chew up CPU upto 99%, and it will run producing no
output until interrupted forcibly.

>Fix:

there is a simple workaround:  *not* using the "-rand /dev/random" option,
eg:

#openssl dhparam -outform PEM -in /dev/null -out /l/ssl/pem/dh512.pem -2
warning, not much extra random data, consider using the -rand option
Generating DH parameters, 512 bit long safe prime, generator 2
This is going to take a long time
..........+.........................++*++*++*++*++*++*

then it always *works*!

clemens fischer
>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011210182332.V905>