ssl error "PRNG not seeded"

Geoffrey Talvola gtalvola at nameconnector.com
Thu Apr 10 21:34:10 CEST 2003


Geoffrey Talvola wrote:
> ...
> When my 
> service started, it
> couldn't make any SSL requests.  My logfile reveals that 
> every time it tried
> to call socket.ssl(sock) the following exception was raised:
> 
> sslerror: (1, 'error:24064064:random number 
> generator:SSLEAY_RAND_BYTES:PRNG
> not seeded')
...

I'm closer to figuring this out.  Here's what I've determined:

1) OpenSSL's RAND_poll() gets called the first time it needs some random
bytes.

2) On Windows, RAND_poll() is implemented in crypto/rand/rand_win.c and
basically gets a bunch of unpredictable stuff from various Win32 API calls
such as the CryptoAPI, various Performance counters, timer data, processes,
threads, modules, heap, etc. to build up randomness.

3) For some reason, on the occasion when I experienced the exception,
RAND_poll() failed to generate enough randomness.  OpenSSL doesn't let you
proceed with an inadequately seeded PRNG so all SSL calls fail.

4) I'm not sure if this was a chance failure, or if it could have been
exacerbated by the fact the the service was starting due to a reboot.
Perhaps some of the calls that RAND_poll() was making to try to gather
randomness failed because the services that provide those calls weren't
started yet.  Hard to tell.

I think I'll report this as a bug in OpenSSL (although I don't know how to
fix it).

A workaround would be for me to call socket.RAND_add() with some chunk of
pseudo-random bytes, to fool OpenSSL into thinking it has enough randomness.

- Geoff





More information about the Python-list mailing list