RE: openSSL Key generation

From: Simon Thornton (simon.thornton@swift.com)
Date: 02/10/03

  • Next message: Zow: "Re: LKM Trojan installed"
    Date: Mon, 10 Feb 2003 11:36:55 +0100
    From: Simon Thornton <simon.thornton@swift.com>
    To: "'Leland T. Snyder'" <ltsnyder@x3ci.com>, focus-linux@securityfocus.com
    
    
    

    Hi Leland,

    > nohup time /usr/bin/openssl genrsa -rand /dev/urandom
    > 1024 > /tmp/server.key &

    Two things occur to me; it's waiting for you to enter a password to
    protect the key, as the process is bg it's blocked. The other thing that
    can occur (very rarely) on linux is that the urandom system is not
    getting enough entropy to generate random numbers needed by OpenSSL.
    This can be tested by using:

            dd if=/dev/urandom of=/tmp/rand bs=2k count=1

    This should return almost immediately and generate a 2k file
    /tmp/urandom.bin, if it does not return but blocks, then you have an
    entropy gathering problem. I doubt it will be a prob. but this is the
    way to check.

    Several suggestions:

    1. remove the '-rand /dev/urandom' statement, it reads this by default
    (under Linux). On SUN machines there is no /dev/urandom, PRNGd is used
    instead. Unless you need an alternate random source, you don't to
    specify and scripts transport easily between OS's.

    2. Use '-out /tmp/server.key' instead of piping the key, it's easier to
    separate the key from any errors.

    3. The keygen process requires you to enter a passwd for the key, which
    is why it is never completes. if you 'fg' the process and then type in
    the passwd+ENTER, repeated twice, the process will complete.

    4. If you are unsure of the syntax, run openssl in interactive mode and
    use '?' to get help:

            # openssl
            OpenSSL> ?
            OpenSSL> genrsa ?

    The docs are often outdated, this is the only sure way to know what is
    compiled in.
      

    Rgds,
      

    Simon Thornton
    ---------------------------------------------------------------
    BTW, FWIW, IMHO, AFAIK, yes. OTOH, AAMOF, maybe not. YMMV

    
    




    Relevant Pages

    • [Full-Disclosure] The last word on the Linux Slapper worm
      ... current of openssl g. ... > the Linux Slapper worm, and posts to the bugtraq list ranging from the ... > appears that the Linux vendors and openssl had been working together to ...
      (Full-Disclosure)
    • AES C# and OpenSSL Interop
      ... We have been creating files encoded with OpenSSL (Linux) AES for some ... public static string Decrypt2 ...
      (microsoft.public.dotnet.security)
    • Re: OpenSSL development (Heartbleed)
      ... Contrast with OpenSourced Linux which has a well funded ... or, conversely, that there is never enough funding for all the ... software to be bug free. ... Theo de Raadt, founder and leader of the OpenBSD and OpenSSH projects, has criticized the OpenSSL developers for writing their own memory management routines and thereby circumventing OpenBSD C standard library exploit countermeasures, saying "OpenSSL is not developed by a responsible team." ...
      (comp.lang.ada)
    • Re: Serious OpenSSL vulnerability
      ... would be concerned about my 'money' sites. ... This time the 'ten feet tall and bullet proof because I use Linux' ... You know OpenSSL is not Linux? ... OpenSSL do support contracts and many of the developers offer ...
      (Fedora)
    • Re: Serious OpenSSL vulnerability
      ... would be concerned about my 'money' sites. ... This time the 'ten feet tall and bullet proof because I use Linux' ... You know OpenSSL is not Linux? ... OpenSSL do support contracts and many of the developers offer ...
      (Fedora)