| FAQ (76866) | FAQ (79998) |
|---|---|
| 1OpenSSL - Frequently Asked Questions 2-------------------------------------- 3 4[MISC] Miscellaneous questions 5 6* Which is the current version of OpenSSL? 7* Where is the documentation? 8* How can I contact the OpenSSL developers? 9* Where can I get a compiled version of OpenSSL? 10* Why aren't tools like 'autoconf' and 'libtool' used? 11 12[LEGAL] Legal questions 13 14* Do I need patent licenses to use OpenSSL? 15* Can I use OpenSSL with GPL software? 16 17[USER] Questions on using the OpenSSL applications 18 19* Why do I get a "PRNG not seeded" error message? | 1OpenSSL - Frequently Asked Questions 2-------------------------------------- 3 4[MISC] Miscellaneous questions 5 6* Which is the current version of OpenSSL? 7* Where is the documentation? 8* How can I contact the OpenSSL developers? 9* Where can I get a compiled version of OpenSSL? 10* Why aren't tools like 'autoconf' and 'libtool' used? 11 12[LEGAL] Legal questions 13 14* Do I need patent licenses to use OpenSSL? 15* Can I use OpenSSL with GPL software? 16 17[USER] Questions on using the OpenSSL applications 18 19* Why do I get a "PRNG not seeded" error message? |
| 20* Why do I get an "unable to write 'random state'" error message? |
|
| 20* How do I create certificates or certificate requests? 21* Why can't I create certificate requests? 22* Why does <SSL program> fail with a certificate verify error? 23* Why can I only use weak ciphers when I connect to a server using OpenSSL? 24* How can I create DSA certificates? 25* Why can't I make an SSL connection using a DSA certificate? 26* How can I remove the passphrase on a private key? 27* Why can't I use OpenSSL certificates with SSL client authentication? --- 14 unchanged lines hidden (view full) --- 42* I've compiled a program under Windows and it crashes: why? 43* How do I read or write a DER encoded buffer using the ASN1 functions? 44* I've tried using <M_some_evil_pkcs12_macro> and I get errors why? 45* I've called <some function> and it fails, why? 46* I just get a load of numbers for the error output, what do they mean? 47* Why do I get errors about unknown algorithms? 48* Why can't the OpenSSH configure script detect OpenSSL? 49* Can I use OpenSSL's SSL library with non-blocking I/O? | 21* How do I create certificates or certificate requests? 22* Why can't I create certificate requests? 23* Why does <SSL program> fail with a certificate verify error? 24* Why can I only use weak ciphers when I connect to a server using OpenSSL? 25* How can I create DSA certificates? 26* Why can't I make an SSL connection using a DSA certificate? 27* How can I remove the passphrase on a private key? 28* Why can't I use OpenSSL certificates with SSL client authentication? --- 14 unchanged lines hidden (view full) --- 43* I've compiled a program under Windows and it crashes: why? 44* How do I read or write a DER encoded buffer using the ASN1 functions? 45* I've tried using <M_some_evil_pkcs12_macro> and I get errors why? 46* I've called <some function> and it fails, why? 47* I just get a load of numbers for the error output, what do they mean? 48* Why do I get errors about unknown algorithms? 49* Why can't the OpenSSH configure script detect OpenSSL? 50* Can I use OpenSSL's SSL library with non-blocking I/O? |
| 51* Why doesn't my server application receive a client certificate? |
|
| 50 51=============================================================================== 52 53[MISC] ======================================================================== 54 55* Which is the current version of OpenSSL? 56 57The current version is available from <URL: http://www.openssl.org>. | 52 53=============================================================================== 54 55[MISC] ======================================================================== 56 57* Which is the current version of OpenSSL? 58 59The current version is available from <URL: http://www.openssl.org>. |
| 58OpenSSL 0.9.6a was released on April 5th, 2001. | 60OpenSSL 0.9.6b was released on July 9th, 2001. |
| 59 60In addition to the current stable release, you can also access daily 61snapshots of the OpenSSL development version at <URL: 62ftp://ftp.openssl.org/snapshot/>, or get it by anonymous CVS access. 63 64 65* Where is the documentation? 66 --- 88 unchanged lines hidden (view full) --- 155 156* Why do I get a "PRNG not seeded" error message? 157 158Cryptographic software needs a source of unpredictable data to work 159correctly. Many open source operating systems provide a "randomness 160device" that serves this purpose. On other systems, applications have 161to call the RAND_add() or RAND_seed() function with appropriate data 162before generating keys or performing public key encryption. | 61 62In addition to the current stable release, you can also access daily 63snapshots of the OpenSSL development version at <URL: 64ftp://ftp.openssl.org/snapshot/>, or get it by anonymous CVS access. 65 66 67* Where is the documentation? 68 --- 88 unchanged lines hidden (view full) --- 157 158* Why do I get a "PRNG not seeded" error message? 159 160Cryptographic software needs a source of unpredictable data to work 161correctly. Many open source operating systems provide a "randomness 162device" that serves this purpose. On other systems, applications have 163to call the RAND_add() or RAND_seed() function with appropriate data 164before generating keys or performing public key encryption. |
| 165(These functions initialize the pseudo-random number generator, PRNG.) |
|
| 163 164Some broken applications do not do this. As of version 0.9.5, the 165OpenSSL functions that need randomness report an error if the random 166number generator has not been seeded with at least 128 bits of 167randomness. If this error occurs, please contact the author of the 168application you are using. It is likely that it never worked 169correctly. OpenSSL 0.9.5 and later make the error visible by refusing 170to perform potentially insecure encryption. 171 | 166 167Some broken applications do not do this. As of version 0.9.5, the 168OpenSSL functions that need randomness report an error if the random 169number generator has not been seeded with at least 128 bits of 170randomness. If this error occurs, please contact the author of the 171application you are using. It is likely that it never worked 172correctly. OpenSSL 0.9.5 and later make the error visible by refusing 173to perform potentially insecure encryption. 174 |
| 172On systems without /dev/urandom, it is a good idea to use the Entropy 173Gathering Demon; see the RAND_egd() manpage for details. | 175On systems without /dev/urandom and /dev/random, it is a good idea to 176use the Entropy Gathering Demon (EGD); see the RAND_egd() manpage for 177details. Starting with version 0.9.7, OpenSSL will automatically look 178for an EGD socket at /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool and 179/etc/entropy. |
| 174 | 180 |
| 175Most components of the openssl command line tool try to use the 176file $HOME/.rnd (or $RANDFILE, if this environment variable is set) 177for seeding the PRNG. If this file does not exist or is too short, 178the "PRNG not seeded" error message may occur. | 181Most components of the openssl command line utility automatically try 182to seed the random number generator from a file. The name of the 183default seeding file is determined as follows: If environment variable 184RANDFILE is set, then it names the seeding file. Otherwise if 185environment variable HOME is set, then the seeding file is $HOME/.rnd. 186If neither RANDFILE nor HOME is set, versions up to OpenSSL 0.9.6 will 187use file .rnd in the current directory while OpenSSL 0.9.6a uses no 188default seeding file at all. OpenSSL 0.9.6b and later will behave 189similarly to 0.9.6a, but will use a default of "C:" for HOME on 190Windows systems if the environment variable has not been set. |
| 179 | 191 |
| 180[Note to OpenSSL 0.9.5 users: The command "openssl rsa" in version 1810.9.5 does not do this and will fail on systems without /dev/urandom 182when trying to password-encrypt an RSA key! This is a bug in the 183library; try a later version instead.] | 192If the default seeding file does not exist or is too short, the "PRNG 193not seeded" error message may occur. |
| 184 | 194 |
| 195The openssl command line utility will write back a new state to the 196default seeding file (and create this file if necessary) unless 197there was no sufficient seeding. 198 199Pointing $RANDFILE to an Entropy Gathering Daemon socket does not work. 200Use the "-rand" option of the OpenSSL command line tools instead. 201The $RANDFILE environment variable and $HOME/.rnd are only used by the 202OpenSSL command line tools. Applications using the OpenSSL library 203provide their own configuration options to specify the entropy source, 204please check out the documentation coming the with application. 205 |
|
| 185For Solaris 2.6, Tim Nibbe <tnibbe@sprint.net> and others have suggested 186installing the SUNski package from Sun patch 105710-01 (Sparc) which 187adds a /dev/random device and make sure it gets used, usually through 188$RANDFILE. There are probably similar patches for the other Solaris 189versions. However, be warned that /dev/random is usually a blocking 190device, which may have some effects on OpenSSL. 191 192 | 206For Solaris 2.6, Tim Nibbe <tnibbe@sprint.net> and others have suggested 207installing the SUNski package from Sun patch 105710-01 (Sparc) which 208adds a /dev/random device and make sure it gets used, usually through 209$RANDFILE. There are probably similar patches for the other Solaris 210versions. However, be warned that /dev/random is usually a blocking 211device, which may have some effects on OpenSSL. 212 213 |
| 214* Why do I get an "unable to write 'random state'" error message? 215 216 217Sometimes the openssl command line utility does not abort with 218a "PRNG not seeded" error message, but complains that it is 219"unable to write 'random state'". This message refers to the 220default seeding file (see previous answer). A possible reason 221is that no default filename is known because neither RANDFILE 222nor HOME is set. (Versions up to 0.9.6 used file ".rnd" in the 223current directory in this case, but this has changed with 0.9.6a.) 224 225 |
|
| 193* How do I create certificates or certificate requests? 194 195Check out the CA.pl(1) manual page. This provides a simple wrapper round 196the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check 197out the manual pages for the individual utilities and the certificate 198extensions documentation (currently in doc/openssl.txt). 199 200 --- 337 unchanged lines hidden (view full) --- 538it is also possible that SSL_write() cannot do any useful work until 539there is data to read, or that SSL_read() cannot do anything until it 540is possible to send data. One reason for this is that the peer may 541request a new TLS/SSL handshake at any time during the protocol, 542requiring a bi-directional message exchange; both SSL_read() and 543SSL_write() will try to continue any pending handshake. 544 545 | 226* How do I create certificates or certificate requests? 227 228Check out the CA.pl(1) manual page. This provides a simple wrapper round 229the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check 230out the manual pages for the individual utilities and the certificate 231extensions documentation (currently in doc/openssl.txt). 232 233 --- 337 unchanged lines hidden (view full) --- 571it is also possible that SSL_write() cannot do any useful work until 572there is data to read, or that SSL_read() cannot do anything until it 573is possible to send data. One reason for this is that the peer may 574request a new TLS/SSL handshake at any time during the protocol, 575requiring a bi-directional message exchange; both SSL_read() and 576SSL_write() will try to continue any pending handshake. 577 578 |
| 579* Why doesn't my server application receive a client certificate? 580 581Due to the TLS protocol definition, a client will only send a certificate, 582if explicitely asked by the server. Use the SSL_VERIFY_PEER flag of the 583SSL_CTX_set_verify() function to enable the use of client certificates. 584 585 |
|
| 546=============================================================================== 547 | 586=============================================================================== 587 |