[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: SSL/TLS and PRNGD
> In this particular case, that is clearly not your problem. You are telling
> ldapsearch to connect to an SSL session (ldaps server) : -H 'ldaps://....'
> and then telling it to start TLS "-Z" on that session. ldaps sessions are
> incompatible with the start TLS request. Use one or the other, not both.
>
OK, I see. So I should avoid using ldaps:// since we're using LDAPv3
right? and by just using -Z to start TLS everything will happen over port
389 and by encrypted following a successful TLS handshake?
Still getting prngd related errors though:
ldapsearch -Z -x -D 'cn=...' -H 'ldap://...' -W -b '...'
ldap_start_tls: Connect error (91)
additional info: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded
This is using PRNGD 0.9.27 and OpenSSL 0.9.7a with prngd creating three
random sockets at /dev/random /dev/urandom and /dev/egd-pool and with the
prngd-ctl reporting:
./prngd-0.9.27/tools/prngd-ctl /dev/random get
32800
bits of randomness. Also I have TLS_RANDFILE in ldap.conf and TLSRANDFILE
in slapd.conf pointing to /dev/egd-pool.... But I see this is actually an
OpenSSL error as the exact same error comes up with an s_client test so I
will look at getting more randomness into OpenSSL...
Paul