OpenSSL 1.1.1 introduced a new CSPRNG with an improved seeding
mechanism, which makes it dispensable to define a RANDFILE for
saving and restoring randomness. This commit removes the RANDFILE
declarations from our own configuration files and adds documentation
that this option is not needed anymore and retained mainly for
compatibility reasons.
Fixes #10433
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10436)
23 files changed:
/out32dll.dbg
/inc32
/MINFO
/out32dll.dbg
/inc32
/MINFO
/ms/bcb.mak
/ms/libeay32.def
/ms/nt.mak
/ms/bcb.mak
/ms/libeay32.def
/ms/nt.mak
# This definition stops the following lines choking if HOME or CN
# is undefined.
HOME = .
# This definition stops the following lines choking if HOME or CN
# is undefined.
HOME = .
-RANDFILE = $ENV::HOME/.rnd
CN = "Not Defined"
####################################################################
CN = "Not Defined"
####################################################################
# This definition stops the following lines choking if HOME or CN
# is undefined.
HOME = .
# This definition stops the following lines choking if HOME or CN
# is undefined.
HOME = .
-RANDFILE = $ENV::HOME/.rnd
CN = "Not Defined"
default_ca = ca
CN = "Not Defined"
default_ca = ca
=item B<RANDFILE>
At startup the specified file is loaded into the random number generator,
=item B<RANDFILE>
At startup the specified file is loaded into the random number generator,
-and at exit 256 bytes will be written to it.
+and at exit 256 bytes will be written to it. (Note: Using a RANDFILE is
+not necessary anymore, see the L</HISTORY> section.
serial = $dir/serial # serial no file
#rand_serial = yes # for random serial#'s
private_key = $dir/private/cakey.pem# CA private key
serial = $dir/serial # serial no file
#rand_serial = yes # for random serial#'s
private_key = $dir/private/cakey.pem# CA private key
- RANDFILE = $dir/private/.rand # random number file
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
./demoCA/index.txt - CA text database file
./demoCA/index.txt.old - CA text database backup file
./demoCA/certs - certificate output file
./demoCA/index.txt - CA text database file
./demoCA/index.txt.old - CA text database backup file
./demoCA/certs - certificate output file
- ./demoCA/.rnd - CA random seed information
earlier than year 2049 (included), and as GeneralizedTime if the dates
are in year 2050 or later.
earlier than year 2049 (included), and as GeneralizedTime if the dates
are in year 2050 or later.
+OpenSSL 1.1.1 introduced a new random generator (CSPRNG) with an improved
+seeding mechanism. The new seeding mechanism makes it unnecessary to
+define a RANDFILE for saving and restoring randomness. This option is
+retained mainly for compatibility reasons.
+
=head1 SEE ALSO
L<openssl(1)>,
=head1 SEE ALSO
L<openssl(1)>,
Sample configuration containing all field values:
Sample configuration containing all field values:
- RANDFILE = $ENV::HOME/.rnd
-
[ req ]
default_bits = 2048
default_keyfile = keyfile.pem
[ req ]
default_bits = 2048
default_keyfile = keyfile.pem
-See L<openssl-ca(1)> for description. (Optional)
+This specifies a file containing additional B<OBJECT IDENTIFIERS>.
+Each line of the file should consist of the numerical form of the
+object identifier followed by white space then the short name followed
+by white space and finally the long name. (Optional)
-See L<openssl-ca(1)> for description. (Optional)
+This specifies a section in the configuration file containing extra
+object identifiers. Each line should consist of the short name of the
+object identifier followed by B<=> and the numerical form. The short
+and long names are the same when this option is used. (Optional)
-See L<openssl-ca(1)> for description. (Optional)
+At startup the specified file is loaded into the random number generator,
+and at exit 256 bytes will be written to it. (Note: Using a RANDFILE is
+not necessary anymore, see the L</HISTORY> section.
+=head1 HISTORY
+
+OpenSSL 1.1.1 introduced a new random generator (CSPRNG) with an improved
+seeding mechanism. The new seeding mechanism makes it unnecessary to
+define a RANDFILE for saving and restoring randomness. This option is
+retained mainly for compatibility reasons.
+
=head1 SEE ALSO
L<openssl(1)>,
=head1 SEE ALSO
L<openssl(1)>,
# This is the default section.
HOME=/temp
# This is the default section.
HOME=/temp
- RANDFILE= ${ENV::HOME}/.rnd
configdir=$ENV::HOME/config
[ section_one ]
configdir=$ENV::HOME/config
[ section_one ]
# This is mostly being used for generation of certificate requests.
#
# This is mostly being used for generation of certificate requests.
#
####################################################################
[ req ]
default_bits = 2048
####################################################################
[ req ]
default_bits = 2048
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
-RANDFILE = $dir/private/.rand # private random number file
x509_extensions = v3_ca # The extensions to add to the cert
x509_extensions = v3_ca # The extensions to add to the cert
#
# hacked by iang to do DH certs - CA
#
# hacked by iang to do DH certs - CA
####################################################################
[ req ]
distinguished_name = req_distinguished_name
####################################################################
[ req ]
distinguished_name = req_distinguished_name
#
# hacked by iang to do DSA certs - CA
#
# hacked by iang to do DSA certs - CA
####################################################################
[ req ]
distinguished_name = req_distinguished_name
####################################################################
[ req ]
distinguished_name = req_distinguished_name
#
# create RSA certs - CA
#
# create RSA certs - CA
####################################################################
[ req ]
distinguished_name = req_distinguished_name
####################################################################
[ req ]
distinguished_name = req_distinguished_name
# This config is used by the Time Stamp Authority tests.
#
# This config is used by the Time Stamp Authority tests.
#
# Extra OBJECT IDENTIFIER info:
oid_section = new_oids
# Extra OBJECT IDENTIFIER info:
oid_section = new_oids
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
private_key = $dir/private/cakey.pem# The private key
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
private_key = $dir/private/cakey.pem# The private key
-RANDFILE = $dir/private/.rand # private random number file
default_days = 365 # how long to certify for
default_md = sha256 # which md to use.
default_days = 365 # how long to certify for
default_md = sha256 # which md to use.
# This is mostly being used for generation of certificate requests.
#
# This is mostly being used for generation of certificate requests.
#
####################################################################
[ req ]
default_bits = 2048
####################################################################
[ req ]
default_bits = 2048
# This is mostly being used for generation of certificate requests.
#
# This is mostly being used for generation of certificate requests.
#
####################################################################
[ req ]
default_bits = 2048
####################################################################
[ req ]
default_bits = 2048
#
# hacked by iang to do DSA certs - Server
#
# hacked by iang to do DSA certs - Server
####################################################################
[ req ]
distinguished_name = req_distinguished_name
####################################################################
[ req ]
distinguished_name = req_distinguished_name
#
# create RSA certs - Server
#
# create RSA certs - Server
####################################################################
[ req ]
distinguished_name = req_distinguished_name
####################################################################
[ req ]
distinguished_name = req_distinguished_name
# This is mostly being used for generation of certificate requests.
#
# This is mostly being used for generation of certificate requests.
#
CN2 = Brother 2
####################################################################
CN2 = Brother 2
####################################################################
- /* verify whether RANDFILE is set correctly */
- str = NCONF_get_string(conf, "", "RANDFILE");
- if (!TEST_ptr(str) || !TEST_str_eq(str, "./.rnd")) {
- TEST_note("RANDFILE incorrect");
- return 0;
- }
-
/* verify whether CA_default/default_days is set */
val = 0;
if (!TEST_int_eq(NCONF_get_number(conf, "CA_default", "default_days", &val), 1)
/* verify whether CA_default/default_days is set */
val = 0;
if (!TEST_int_eq(NCONF_get_number(conf, "CA_default", "default_days", &val), 1)
require_ok(srctop_file('test','recipes','tconversion.pl'));
require_ok(srctop_file('test','recipes','tconversion.pl'));
-open RND, ">>", ".rnd";
-print RND "string to make the random number generator think it has randomness";
-close RND;
-
# What type of key to generate?
my @req_new;
if (disabled("rsa")) {
# What type of key to generate?
my @req_new;
if (disabled("rsa")) {
# -----------
# subtest functions
sub testss {
# -----------
# subtest functions
sub testss {
- open RND, ">>", ".rnd";
- print RND "string to make the random number generator think it has randomness";
- close RND;
-
my @req_dsa = ("-newkey",
"dsa:".srctop_file("apps", "dsa1024.pem"));
my $dsaparams = srctop_file("apps", "dsa1024.pem");
my @req_dsa = ("-newkey",
"dsa:".srctop_file("apps", "dsa1024.pem"));
my $dsaparams = srctop_file("apps", "dsa1024.pem");
# This is mostly being used for generation of certificate requests.
#
# This is mostly being used for generation of certificate requests.
#
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/CAkey.pem# The private key
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/CAkey.pem# The private key
-RANDFILE = $dir/private/.rand # private random number file
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
# This definition stops the following lines choking if HOME or CN
# is undefined.
HOME = .
# This definition stops the following lines choking if HOME or CN
# is undefined.
HOME = .
-RANDFILE = $ENV::HOME/.rnd
CN = "Not Defined"
default_ca = ca
CN = "Not Defined"
default_ca = ca
# This is mostly being used for generation of certificate requests.
#
# This is mostly being used for generation of certificate requests.
#
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/CAkey.pem# The private key
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/CAkey.pem# The private key
-RANDFILE = $dir/private/.rand # private random number file
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL