- From: <Ville.Alkkiomaki@sonera.com>
- Date: Fri, 14 Jul 2000 12:11:48 +0300
- TO: www-lib@w3.org
When using SSL connections with relative new OpenSSL library you get error
"Fatal Error: SSLWRITE operation failed (Error 0)" under platforms where
you don't have /dev/urandom. This happens because OpenSSL cannot initialize it's
random number generator and cannot therefore generate session keys.
You can fix this problem for example by adding method
PUBLIC void HTSSL_seed (void * buf,int len)
{
RAND_seed(buf,len);
}
to HTSSL.c and call it before connecting. The parameter buf must be random data
buffer with length more or equal to 16 bytes and len is length. The bigger the
data buffer is the better. This 16 bytes is only minimum to start openssl, but
if you want strong session keys (unbreakable) you need much more. How much
depens on key lengths and stuff, maybe a few kB would be enough (?). (just a
guess)
In WinNT OpenSSL seems to use video screen data as seed, but under unix that's
little more troublesome. There are some libraries generating random numbers from
system status (from interrupts, loads, etc..) which could be used.
The old versions of OpenSSL doesn't give error if used without seeding, but they
will then generate weak keys. And IMHO better not use encryption at all if it's
easely breakable.
Anyone have suggestions?
regards,
Ville Alkkiomaki
Received on Friday, 14 July 2000 05:12:04 UTC