RE: openSSL Key generation

• Previous message: Chris Ricker: "Re: SSL and Kerberos"
• In reply to: Leland T. Snyder: "openSSL Key generation"
• Next in thread: Matthaeus Wander: "Re: openSSL Key generation"
• Reply: Matthaeus Wander: "Re: openSSL Key generation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 10 Feb 2003 11:36:55 +0100
From: Simon Thornton <simon.thornton@swift.com>
To: "'Leland T. Snyder'" <ltsnyder@x3ci.com>, focus-linux@securityfocus.com

Hi Leland,

> nohup time /usr/bin/openssl genrsa -rand /dev/urandom
> 1024 > /tmp/server.key &

Two things occur to me; it's waiting for you to enter a password to
protect the key, as the process is bg it's blocked. The other thing that
can occur (very rarely) on linux is that the urandom system is not
getting enough entropy to generate random numbers needed by OpenSSL.
This can be tested by using:

        dd if=/dev/urandom of=/tmp/rand bs=2k count=1

This should return almost immediately and generate a 2k file
/tmp/urandom.bin, if it does not return but blocks, then you have an
entropy gathering problem. I doubt it will be a prob. but this is the
way to check.

Several suggestions:

1. remove the '-rand /dev/urandom' statement, it reads this by default
(under Linux). On SUN machines there is no /dev/urandom, PRNGd is used
instead. Unless you need an alternate random source, you don't to
specify and scripts transport easily between OS's.

2. Use '-out /tmp/server.key' instead of piping the key, it's easier to
separate the key from any errors.

3. The keygen process requires you to enter a passwd for the key, which
is why it is never completes. if you 'fg' the process and then type in
the passwd+ENTER, repeated twice, the process will complete.

4. If you are unsure of the syntax, run openssl in interactive mode and
use '?' to get help:

        # openssl
        OpenSSL> ?
        OpenSSL> genrsa ?

The docs are often outdated, this is the only sure way to know what is
compiled in.
  

Rgds,
  

Simon Thornton
---------------------------------------------------------------
BTW, FWIW, IMHO, AFAIK, yes. OTOH, AAMOF, maybe not. YMMV

• application/x-pkcs7-signature attachment: smime.p7s

• Next message: Zow: "Re: LKM Trojan installed"
• Previous message: Chris Ricker: "Re: SSL and Kerberos"
• In reply to: Leland T. Snyder: "openSSL Key generation"
• Next in thread: Matthaeus Wander: "Re: openSSL Key generation"
• Reply: Matthaeus Wander: "Re: openSSL Key generation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [Full-Disclosure] The last word on the Linux Slapper worm ... current of openssl g. ... > the Linux Slapper worm, and posts to the bugtraq list ranging from the ... > appears that the Linux vendors and openssl had been working together to ... (Full-Disclosure) AES C# and OpenSSL Interop ... We have been creating files encoded with OpenSSL (Linux) AES for some ... public static string Decrypt2 ... (microsoft.public.dotnet.security) Re: Windows Is Now More Secure Than Linux ... >CERT Advisory CA-2002-23 Multiple Vulnerabilities In OpenSSL ... >There are four remotely exploitable buffer overflows in OpenSSL. ... Linux and other Unix flavor Operating System's have more ... >>>Opensource code is never looked at for bug but by hackers, ... (comp.security.misc) Re: Windows Is Now More Secure Than Linux ... > There are four remotely exploitable buffer overflows in OpenSSL. ... Linux and other Unix flavor Operating System's have ... >>>Opensource code is never looked at for bug but by hackers, ... Hell yes, so they put out updates, and upgrades, do they get it ... (comp.security.misc)