- From: <Ville.Alkkiomaki@sonera.com>
- Date: Fri, 14 Jul 2000 12:11:48 +0300
- TO: www-lib@w3.org
When using SSL connections with relative new OpenSSL library you get error "Fatal Error: SSLWRITE operation failed (Error 0)" under platforms where you don't have /dev/urandom. This happens because OpenSSL cannot initialize it's random number generator and cannot therefore generate session keys. You can fix this problem for example by adding method PUBLIC void HTSSL_seed (void * buf,int len) { RAND_seed(buf,len); } to HTSSL.c and call it before connecting. The parameter buf must be random data buffer with length more or equal to 16 bytes and len is length. The bigger the data buffer is the better. This 16 bytes is only minimum to start openssl, but if you want strong session keys (unbreakable) you need much more. How much depens on key lengths and stuff, maybe a few kB would be enough (?). (just a guess) In WinNT OpenSSL seems to use video screen data as seed, but under unix that's little more troublesome. There are some libraries generating random numbers from system status (from interrupts, loads, etc..) which could be used. The old versions of OpenSSL doesn't give error if used without seeding, but they will then generate weak keys. And IMHO better not use encryption at all if it's easely breakable. Anyone have suggestions? regards, Ville Alkkiomaki
Received on Friday, 14 July 2000 05:12:04 UTC