Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#990228: [Pkg-openssl-devel] Bug#990228: openssl: breaks ssl-cert installation: 8022CB35777F0000:error:1200007A:random number generator:RAND_write_file:Not a regular file:../crypto/rand/randfile.c:190:Filename=/dev/urandom
201 views
Skip to first unread message
Sebastian Andrzej Siewior
Jun 23, 2021, 3:50:04 PM6/23/21
to
On 2021-06-23 14:46:37 [+0200], Andreas Beckmann wrote:
> Writing new private key to '/etc/ssl/private/ssl-cert-snakeoil.key'
> -----
> Warning: No -copy_extensions given; ignoring any extensions in the request
> Cannot write random bytes:
> 8022CB35777F0000:error:1200007A:random number generator:RAND_write_file:Not a regular file:../crypto/rand/randfile.c:190:Filename=/dev/urandom
…
> Hmm, well, yes, /dev/urandom is not a regular file. It's a character device node.
This is from
-config $file
->
RANDFILE = /dev/urandom
The reject of file nodes is new in the 3.0.0 release.
In the past openssl used to have its .rnd where it keept track of a
random state. So it read the RANDFILE to seed and wrote it back to avoid
having the state on the next invocation.
This is gone since 1.1.0 (I think) and openssl uses getrandom() to
initialize its random generator. It is no longer needed to specify
/dev/urandom as RANDFILE to seed it initially.
In this case it will read urandom and use additionally getrandom() and
both provide pseude-random data from exactly the same pool. And then
after the operation, openssl will write it back…
I would argue to remove RANDFILE from the template. On the other hand
there is nothing wrong with writting it back to a device node file.
Kurt?
>
> cheers,
>
> Andreas
Sebastian
> Writing new private key to '/etc/ssl/private/ssl-cert-snakeoil.key'
> -----
> Warning: No -copy_extensions given; ignoring any extensions in the request
> Cannot write random bytes:
> 8022CB35777F0000:error:1200007A:random number generator:RAND_write_file:Not a regular file:../crypto/rand/randfile.c:190:Filename=/dev/urandom
…
> Hmm, well, yes, /dev/urandom is not a regular file. It's a character device node.
This is from
-config $file
->
RANDFILE = /dev/urandom
The reject of file nodes is new in the 3.0.0 release.
In the past openssl used to have its .rnd where it keept track of a
random state. So it read the RANDFILE to seed and wrote it back to avoid
having the state on the next invocation.
This is gone since 1.1.0 (I think) and openssl uses getrandom() to
initialize its random generator. It is no longer needed to specify
/dev/urandom as RANDFILE to seed it initially.
In this case it will read urandom and use additionally getrandom() and
both provide pseude-random data from exactly the same pool. And then
after the operation, openssl will write it back…
I would argue to remove RANDFILE from the template. On the other hand
there is nothing wrong with writting it back to a device node file.
Kurt?
>
> cheers,
>
> Andreas
Sebastian
Kurt Roeckx
Jun 23, 2021, 6:40:03 PM6/23/21
to
Random State Options
Prior to OpenSSL 1.1.1, it was common for applications to store
information about the state of the random-number generator in a
file that was loaded at startup and rewritten upon exit. On
modern operating systems, this is generally no longer necessary
as OpenSSL will seed itself from a trusted entropy source
provided by the operating system. These flags are still supported
for special platforms or circumstances that might require them.
Reading something from /dev/urandom and then writing it back to it
doesn't make sense to me.
The expected behaviour is that you can read back the file you've
written, which clearly is not what /dev/urandom does.
If you need to save the file, you actually want a file that's still
there after a reboot.
I would recommend to just remove the option from the config file.
That being said, the manpage seems to indicate that a non-regular
file should also be supported for reading, but it's unclear if
that also applies to writing, and would assume it is, so this also
looks like a bug in OpenSSL.
Kurt
0 new messages