X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=FAQ;h=2043607c935811cfae82ce16c06c918a7a4790f0;hp=4702d6ac9b00950e7eb8a4ed96b633efc926dfe7;hb=bdee69f7186e1d0b94baa5179d068fc9c611faf5;hpb=6767a536696c601b02b3b6bca4521436b2972b48 diff --git a/FAQ b/FAQ index 4702d6ac9b..2043607c93 100644 --- a/FAQ +++ b/FAQ @@ -17,6 +17,7 @@ OpenSSL - Frequently Asked Questions [USER] Questions on using the OpenSSL applications * Why do I get a "PRNG not seeded" error message? +* Why do I get an "unable to write 'random state'" error message? * How do I create certificates or certificate requests? * Why can't I create certificate requests? * Why does fail with a certificate verify error? @@ -47,6 +48,7 @@ OpenSSL - Frequently Asked Questions * Why do I get errors about unknown algorithms? * Why can't the OpenSSH configure script detect OpenSSL? * Can I use OpenSSL's SSL library with non-blocking I/O? +* Why doesn't my server application receive a client certificate? =============================================================================== @@ -55,7 +57,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from . -OpenSSL 0.9.6 was released on September 24th, 2000. +OpenSSL 0.9.6a was released on April 5th, 2001. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at and others have suggested installing the SUNski package from Sun patch 105710-01 (Sparc) which @@ -190,6 +211,18 @@ versions. However, be warned that /dev/random is usually a blocking device, which may have some effects on OpenSSL. +* Why do I get an "unable to write 'random state'" error message? + + +Sometimes the openssl command line utility does not abort with +a "PRNG not seeded" error message, but complains that it is +"unable to write 'random state'". This message refers to the +default seeding file (see previous answer). A possible reason +is that no default filename is known because neither RANDFILE +nor HOME is set. (Versions up to 0.9.6 used file ".rnd" in the +current directory in this case, but this has changed with 0.9.6a.) + + * How do I create certificates or certificate requests? Check out the CA.pl(1) manual page. This provides a simple wrapper round @@ -490,44 +523,16 @@ OpenSSL_add_all_algorithms(). See the manual page for more information. * Why can't the OpenSSH configure script detect OpenSSL? -There is a problem with OpenSSH 1.2.2p1, in that the configure script -can't find the installed OpenSSL libraries. The problem is actually -a small glitch that is easily solved with the following patch to be -applied to the OpenSSH distribution: - ------ snip:start ----- ---- openssh-1.2.2p1/configure.in.orig Thu Mar 23 18:56:58 2000 -+++ openssh-1.2.2p1/configure.in Thu Mar 23 18:55:05 2000 -@@ -152,10 +152,10 @@ - AC_MSG_CHECKING([for OpenSSL/SSLeay directory]) - for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do - if test ! -z "$ssldir" ; then -- LIBS="$saved_LIBS -L$ssldir" -+ LIBS="$saved_LIBS -L$ssldir/lib" - CFLAGS="$CFLAGS -I$ssldir/include" - if test "x$need_dash_r" = "x1" ; then -- LIBS="$LIBS -R$ssldir" -+ LIBS="$LIBS -R$ssldir/lib" - fi - fi - LIBS="$LIBS -lcrypto" ---- openssh-1.2.2p1/configure.orig Thu Mar 23 18:55:02 2000 -+++ openssh-1.2.2p1/configure Thu Mar 23 18:57:08 2000 -@@ -1890,10 +1890,10 @@ - echo "configure:1891: checking for OpenSSL/SSLeay directory" >&5 - for ssldir in "" $tryssldir /usr /usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/pkg /opt /opt/openssl ; do - if test ! -z "$ssldir" ; then -- LIBS="$saved_LIBS -L$ssldir" -+ LIBS="$saved_LIBS -L$ssldir/lib" - CFLAGS="$CFLAGS -I$ssldir/include" - if test "x$need_dash_r" = "x1" ; then -- LIBS="$LIBS -R$ssldir" -+ LIBS="$LIBS -R$ssldir/lib" - fi - fi - LIBS="$LIBS -lcrypto" ------ snip:end ----- +Several reasons for problems with the automatic detection exist. +OpenSSH requires at least version 0.9.5a of the OpenSSL libraries. +Sometimes the distribution has installed an older version in the system +locations that is detected instead of a new one installed. The OpenSSL +library might have been compiled for another CPU or another mode (32/64 bits). +Permissions might be wrong. +The general answer is to check the config.log file generated when running +the OpenSSH configure script. It should contain the detailed information +on why the OpenSSL library was not detected or considered incompatible. * Can I use OpenSSL's SSL library with non-blocking I/O? @@ -543,5 +548,12 @@ requiring a bi-directional message exchange; both SSL_read() and SSL_write() will try to continue any pending handshake. +* Why doesn't my server application receive a client certificate? + +Due to the TLS protocol definition, a client will only send a certificate, +if explicitely asked by the server. Use the SSL_VERIFY_PEER flag of the +SSL_CTX_set_verify() function to enable the use of client certificates. + + ===============================================================================