Bug 11943 - OpenSSL-1.1.1 RAND_write_file:Cannot open
Summary: OpenSSL-1.1.1 RAND_write_file:Cannot open
Alias: None
Product: IPFire
Classification: Unclassified
Component: openssl (show other bugs)
Version: 2
Hardware: all Unspecified
: - Unknown - Major Usability
Assignee: Erik Kapfer
QA Contact: Peter Müller
Depends on:
Blocks: 11913
  Show dependency treegraph
Reported: 2018-12-01 08:14 UTC by Erik Kapfer
Modified: 2019-03-15 16:44 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Erik Kapfer 2018-12-01 08:14:19 UTC
With the upcoming update to OpenSSL-1.1.1(a) there is a problem with the creation of the .rnd files.

.rnd files are regular present (tested with <=core 125) in:

-rw------- 1 nobody nobody 1024 Sep  1 09:07 /home/nobody/.rnd
-rw------- 1 nobody nobody 1024 Nov 16 01:27 /var/ipfire/ovpn/ca/.rnd
-rw------- 1 nobody nobody 1024 Sep 22 12:14 /var/tmp/.rnd
-rw------- 1 root root 1024 Jun 25 12:59 /.rnd
-rw------- 1 root root 1024 Nov 19 14:29 /root/.rnd

OpenSSL-1.1.1 do not create this files anymore and only error messages appears for OpenVPN and IPSec but the e.g. the PKI generation worked so far for both but the error message appears.

OpenSSL-1.1.1a seems to address this issue --> https://www.openssl.org/news/changelog.html#x1 and it does create one .rnd file under

-rw------- 1 root root 1024 Dec  1 07:40 /var/tmp/.rnd

which crashes the PKI generation of IPSec while creating a new one (fresh install).

Error message IPSec PKI generation:
OpenSSL hat einen Fehler verursacht: <br>139952797528576:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:98:Filename=/var/tmp/.rnd<br>139952797528576:error:24070079:random number generator:RAND_write_file:Cannot open file:crypto/rand/randfile.c:233:Filename=/var/tmp/.rnd 

I think the problem is the permission since '/var/tmp/.rnd' is owned by root but it should be owned by nobody.

Error message OpenVPN PKI generation (didn´t crashed cause no .rnd file is present):
Can't load /var/ipfire/ovpn/ca/.rnd into RNG
140361912357376:error:2406F079:random number generator:RAND_load_file:Cannot open file:crypto/rand/randfile.c:98:Filename=/var/ipfire/ovpn/ca/.rnd


Comment 1 Erik Kapfer 2018-12-07 06:19:16 UTC
OpenSSL-1.1.1a fixes the rnd. creation problem so far but leaves nevertheless a problem for the IPSec structure on IPFire.
On OpenVPN the correct Owner/permissions for .rnd are set while the PKI generation

-rw------- 1 nobody nobody 1024 Nov 16 01:27 /var/ipfire/ovpn/ca/.rnd

. It seems that OpenSSL uses the owner of the parent directory which is nobody in OpenVPN (/var/ipfire/ovpn/ca/) but root for IPSec ( /var/tmp ).


Comment 2 Erik Kapfer 2018-12-07 12:25:04 UTC
Potential fix can look like this --> https://git.ipfire.org/?p=people/ummeegge/ipfire-2.x.git;a=commit;h=5a8e18bfe7e378a7ef89aa128b43cc966fc76e2c.

Tests looks good.

Comment 3 Peter Müller 2019-01-02 20:55:53 UTC
Erik, may I assign this to you?

Lacking spare time for OpenSSL at the moment, and it looks like you are more deeply into this.

Thank you!