[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SSL/TLS and PRNGD

To: Howard Chu <hyc@highlandsun.com>
Subject: RE: SSL/TLS and PRNGD
From: Paul Reilly <pareilly@tcd.ie>
Date: Sat, 22 Feb 2003 00:25:25 +0000 (GMT)
Cc: "openldap-software@OpenLDAP.org" <openldap-software@OpenLDAP.org>
In-reply-to: <002901c2d9f7$ae986e50$0e01a8c0@CELLO>

> In this particular case, that is clearly not your problem. You are telling
> ldapsearch to connect to an SSL session (ldaps server) : -H 'ldaps://....'
> and then telling it to start TLS "-Z" on that session. ldaps sessions are
> incompatible with the start TLS request. Use one or the other, not both.
>
OK, I see. So I should avoid using ldaps:// since we're using LDAPv3
right? and by just using -Z to start TLS everything will happen over port
389 and by encrypted following a successful TLS handshake?

Still getting prngd related errors though:

ldapsearch -Z -x -D 'cn=...' -H 'ldap://...' -W -b '...'
ldap_start_tls: Connect error (91)
  additional info: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded

This is using PRNGD 0.9.27 and OpenSSL 0.9.7a with prngd creating three
random sockets at /dev/random /dev/urandom and /dev/egd-pool and with the
prngd-ctl reporting:

./prngd-0.9.27/tools/prngd-ctl /dev/random get
32800

bits of randomness. Also I have TLS_RANDFILE in ldap.conf and TLSRANDFILE
in slapd.conf pointing to /dev/egd-pool.... But I see this is actually an
OpenSSL error as the exact same error comes up with an s_client test so I
will look at getting more randomness into OpenSSL...


Paul

Follow-Ups:
- Re: SSL/TLS and PRNGD
  - From: "dreamwvr@dreamwvr.com" <dreamwvr@dreamwvr.com>

References:
- RE: SSL/TLS and PRNGD
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: Re: SSL/TLS and PRNGD
Next by Date: configure problems on openbsd 3.2
Index(es):
- Chronological
- Thread