Not enabling default provider leads to "broken"/low entropy/randomness #1883
-
Im trying to build my openssl with the latest version with OQS, but after building and installing everything successfully, i can see that everything works also. But the server ends up being unable to curl, wget, etc, and errors about insufficient randomness: curl: (35) Insufficient randomness I tried a couple of things to try and fix the entropy but that seems to be a giant hassle. I wonder if somebody else has had this issue or and clue what could cause it. I tried it a couple of times on different servers. I made a small guide for myself to use for the steps, if i do it like this, it results in the issue: ` - Enable SCTP:
- Set the System.map:
- Enable cryptodev engine:
- Compile and install cryptodev:
- Update module dependencies and load cryptodev module:
- Verify cryptodev module and device:
- Create or edit the systemd service unit file to run commands at each boot:
- Enable the service:
- Set Up Directories, Clone OpenSSL, Initialize Submodules and enter folder:
- Download and apply the custom patch to add the extra CHACHA20-POLY1305 256-bits ciphers:
- Configurate a FULL installation for 3.4.0-dev
- Make everything:
- Run a test:
- Install the build:
- Set the directories for your custom location:
- Check if you are using your new installation:
- Reboot the server:
- Clone and Build liboqs:
- Fix for the malloc error
- Configure and build liboqs:
- Clone and Build the OQS Provider:- Clone the OQS provider repository:
- Configure the build to use static linking:
- Build the OQS provider:
- Run the tests to ensure everything is set up correctly:
- Ensure that the OQS provider is in a directory where OpenSSL can find it.- Copy the OQS provider shared library to your custom OpenSSL library directory:
- Create or edit your OpenSSL configuration file (e.g., /usr/local/Gorefest-3.4.0/ssl/openssl.cnf) to include the OQS provider and Activate it:
- Run the following command to verify that the OQS provider is recognized by your custom OpenSSL installation:
|
Beta Was this translation helpful? Give feedback.
Replies: 3 comments 5 replies
-
Please check the USAGE file:
-> By disabling either (read: both) std provider of OpenSSL you disable the sole source of randomness for the system. |
Beta Was this translation helpful? Give feedback.
-
For future reference. What @baentsch said, means the following: THIS IS WRONG:
THE CORRECT COMMAND SHOULD BE:
This solved the issue. |
Beta Was this translation helpful? Give feedback.
-
this should be fixed in the documentation |
Beta Was this translation helpful? Give feedback.
Please check the USAGE file:
-> By disabling either (read: both) std provider of OpenSSL you disable the sole source of randomness for the system.