Re: Beginning SSL Questions

On Wed, Sep 20, 2006 at 03:33:18PM -0500, Jeanna Geier wrote:
> Hopefully someone here has some OpenSSL expertise and can help me with a
> problem I'm running into...
[...]
> So, I changed to the openssl-0.9.8c directory to build my keyfile and
> certificate and am having no luck and could really use someone's
> expertise!! When I enter the command line option to generate the keyfile,
> it says it's generating the file, but it just hangs there.... I've left it
> running, but it doesn't complete, it only outputs the two lines with
> '.......++++++' and stops:
>
> $ openssl genrsa -des3 -out server.key 2048
> Loading 'screen' into random state - done
> Generating RSA private key, 2048 bit long modulus
> ........................................+++
> ......+++

That command should work; here's what it does on my FreeBSD system:

% openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
...............+++
............................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

Your prime number generation appears to have completed but the
command hangs before displaying the encryption exponent. How long
did you wait? The OpenSSL source code has only a few lines between
those two actions, one of which is:

app_RAND_write_file(NULL, bio_err);

I wonder if that's where the command is hanging. That function
generates cryptographically strong pseudo-random bytes and saves
them to a file for future use, so it's possible that you didn't
wait long enough. If your system doesn't have enough entropy then
it might be waiting to gather more, in which case wiggling the mouse
or banging on the keyboard might help (assuming your system gathers
entropy from "random" activity like interrupts). If not then you
could try commenting out that line (line 264) in apps/genrsa.c,
then rebuild and reinstall OpenSSL. That's not a good solution but
if key generation completes after making that change then at least
you'd have pinpointed the problem.

Incidentally, if you encrypt the private key (as you're doing with
the -des3 option) then the postmaster will prompt for the password
every time it starts. That'll prevent the postmaster from starting
unattended.

--
Michael Fuhr