[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SSL/TLS and PRNGD



> In this particular case, that is clearly not your problem. You are telling
> ldapsearch to connect to an SSL session (ldaps server) : -H 'ldaps://....'
> and then telling it to start TLS "-Z" on that session. ldaps sessions are
> incompatible with the start TLS request. Use one or the other, not both.
>
OK, I see. So I should avoid using ldaps:// since we're using LDAPv3
right? and by just using -Z to start TLS everything will happen over port
389 and by encrypted following a successful TLS handshake?

Still getting prngd related errors though:

ldapsearch -Z -x -D 'cn=...' -H 'ldap://...' -W -b '...'
ldap_start_tls: Connect error (91)
  additional info: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded

This is using PRNGD 0.9.27 and OpenSSL 0.9.7a with prngd creating three
random sockets at /dev/random /dev/urandom and /dev/egd-pool and with the
prngd-ctl reporting:

./prngd-0.9.27/tools/prngd-ctl /dev/random get
32800

bits of randomness. Also I have TLS_RANDFILE in ldap.conf and TLSRANDFILE
in slapd.conf pointing to /dev/egd-pool.... But I see this is actually an
OpenSSL error as the exact same error comes up with an s_client test so I
will look at getting more randomness into OpenSSL...


Paul