Browse Source

Remove RANDFILE settings from configuration files

OpenSSL 1.1.1 introduced a new CSPRNG with an improved seeding
mechanism, which makes it dispensable to define a RANDFILE for
saving and restoring randomness. This commit removes the RANDFILE
declarations from our own configuration files and adds documentation
that this option is not needed anymore and retained mainly for
compatibility reasons.

Fixes #10433

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/10436)
master
Dr. Matthias St. Pierre 3 years ago
parent
commit
23f3993127
23 changed files with 25 additions and 55 deletions
  1. +0
    -1
      .gitignore
  2. +0
    -1
      demos/certs/apps/apps.cnf
  3. +0
    -1
      demos/certs/ca.cnf
  4. +7
    -3
      doc/man1/openssl-ca.pod.in
  5. +0
    -2
      doc/man1/openssl-req.pod.in
  6. +18
    -3
      doc/man1/openssl-ts.pod.in
  7. +0
    -1
      doc/man5/config.pod
  8. +0
    -3
      test/CAss.cnf
  9. +0
    -2
      test/CAssdh.cnf
  10. +0
    -2
      test/CAssdsa.cnf
  11. +0
    -2
      test/CAssrsa.cnf
  12. +0
    -3
      test/CAtsa.cnf
  13. +0
    -2
      test/P1ss.cnf
  14. +0
    -2
      test/P2ss.cnf
  15. +0
    -2
      test/Sssdsa.cnf
  16. +0
    -2
      test/Sssrsa.cnf
  17. +0
    -1
      test/Uss.cnf
  18. +0
    -7
      test/conf_include_test.c
  19. +0
    -4
      test/recipes/25-test_req.t
  20. +0
    -4
      test/recipes/80-test_ssl_old.t
  21. +0
    -3
      test/recipes/90-test_includes_data/conf-includes/includes1.cnf
  22. +0
    -1
      test/smime-certs/ca.cnf
  23. +0
    -3
      test/test.cnf

+ 0
- 1
.gitignore View File

@ -124,7 +124,6 @@ doc/man1/openssl-x509.pod
/out32dll.dbg
/inc32
/MINFO
/ms/.rnd
/ms/bcb.mak
/ms/libeay32.def
/ms/nt.mak


+ 0
- 1
demos/certs/apps/apps.cnf View File

@ -5,7 +5,6 @@
# This definition stops the following lines choking if HOME or CN
# is undefined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
CN = "Not Defined"
####################################################################


+ 0
- 1
demos/certs/ca.cnf View File

@ -5,7 +5,6 @@
# This definition stops the following lines choking if HOME or CN
# is undefined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
CN = "Not Defined"
default_ca = ca


+ 7
- 3
doc/man1/openssl-ca.pod.in View File

@ -446,7 +446,8 @@ CA private key. Mandatory.
=item B<RANDFILE>
At startup the specified file is loaded into the random number generator,
and at exit 256 bytes will be written to it.
and at exit 256 bytes will be written to it. (Note: Using a RANDFILE is
not necessary anymore, see the L</HISTORY> section.
=item B<default_days>
@ -654,7 +655,6 @@ A sample configuration file with the relevant sections for this command:
serial = $dir/serial # serial no file
#rand_serial = yes # for random serial#'s
private_key = $dir/private/cakey.pem# CA private key
RANDFILE = $dir/private/.rand # random number file
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
@ -690,7 +690,6 @@ The values below reflect the default values.
./demoCA/index.txt - CA text database file
./demoCA/index.txt.old - CA text database backup file
./demoCA/certs - certificate output file
./demoCA/.rnd - CA random seed information
=head1 RESTRICTIONS
@ -767,6 +766,11 @@ B<-enddate> and B<-days>) will be encoded as UTCTime if the dates are
earlier than year 2049 (included), and as GeneralizedTime if the dates
are in year 2050 or later.
OpenSSL 1.1.1 introduced a new random generator (CSPRNG) with an improved
seeding mechanism. The new seeding mechanism makes it unnecessary to
define a RANDFILE for saving and restoring randomness. This option is
retained mainly for compatibility reasons.
=head1 SEE ALSO
L<openssl(1)>,


+ 0
- 2
doc/man1/openssl-req.pod.in View File

@ -592,8 +592,6 @@ Sample configuration file prompting for field values:
Sample configuration containing all field values:
RANDFILE = $ENV::HOME/.rnd
[ req ]
default_bits = 2048
default_keyfile = keyfile.pem


+ 18
- 3
doc/man1/openssl-ts.pod.in View File

@ -403,15 +403,23 @@ section can be overridden with the B<-section> command line switch. (Optional)
=item B<oid_file>
See L<openssl-ca(1)> for description. (Optional)
This specifies a file containing additional B<OBJECT IDENTIFIERS>.
Each line of the file should consist of the numerical form of the
object identifier followed by white space then the short name followed
by white space and finally the long name. (Optional)
=item B<oid_section>
See L<openssl-ca(1)> for description. (Optional)
This specifies a section in the configuration file containing extra
object identifiers. Each line should consist of the short name of the
object identifier followed by B<=> and the numerical form. The short
and long names are the same when this option is used. (Optional)
=item B<RANDFILE>
See L<openssl-ca(1)> for description. (Optional)
At startup the specified file is loaded into the random number generator,
and at exit 256 bytes will be written to it. (Note: Using a RANDFILE is
not necessary anymore, see the L</HISTORY> section.
=item B<serial>
@ -644,6 +652,13 @@ test/testtsa).
=back
=head1 HISTORY
OpenSSL 1.1.1 introduced a new random generator (CSPRNG) with an improved
seeding mechanism. The new seeding mechanism makes it unnecessary to
define a RANDFILE for saving and restoring randomness. This option is
retained mainly for compatibility reasons.
=head1 SEE ALSO
L<openssl(1)>,


+ 0
- 1
doc/man5/config.pod View File

@ -416,7 +416,6 @@ mentioned above.
# This is the default section.
HOME=/temp
RANDFILE= ${ENV::HOME}/.rnd
configdir=$ENV::HOME/config
[ section_one ]


+ 0
- 3
test/CAss.cnf View File

@ -3,8 +3,6 @@
# This is mostly being used for generation of certificate requests.
#
RANDFILE = ./.rnd
####################################################################
[ req ]
default_bits = 2048
@ -43,7 +41,6 @@ certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = v3_ca # The extensions to add to the cert


+ 0
- 2
test/CAssdh.cnf View File

@ -4,8 +4,6 @@
#
# hacked by iang to do DH certs - CA
RANDFILE = ./.rnd
####################################################################
[ req ]
distinguished_name = req_distinguished_name


+ 0
- 2
test/CAssdsa.cnf View File

@ -4,8 +4,6 @@
#
# hacked by iang to do DSA certs - CA
RANDFILE = ./.rnd
####################################################################
[ req ]
distinguished_name = req_distinguished_name


+ 0
- 2
test/CAssrsa.cnf View File

@ -4,8 +4,6 @@
#
# create RSA certs - CA
RANDFILE = ./.rnd
####################################################################
[ req ]
distinguished_name = req_distinguished_name


+ 0
- 3
test/CAtsa.cnf View File

@ -3,8 +3,6 @@
# This config is used by the Time Stamp Authority tests.
#
RANDFILE = ./.rnd
# Extra OBJECT IDENTIFIER info:
oid_section = new_oids
@ -32,7 +30,6 @@ new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
default_days = 365 # how long to certify for
default_md = sha256 # which md to use.


+ 0
- 2
test/P1ss.cnf View File

@ -3,8 +3,6 @@
# This is mostly being used for generation of certificate requests.
#
RANDFILE = ./.rnd
####################################################################
[ req ]
default_bits = 2048


+ 0
- 2
test/P2ss.cnf View File

@ -3,8 +3,6 @@
# This is mostly being used for generation of certificate requests.
#
RANDFILE = ./.rnd
####################################################################
[ req ]
default_bits = 2048


+ 0
- 2
test/Sssdsa.cnf View File

@ -4,8 +4,6 @@
#
# hacked by iang to do DSA certs - Server
RANDFILE = ./.rnd
####################################################################
[ req ]
distinguished_name = req_distinguished_name


+ 0
- 2
test/Sssrsa.cnf View File

@ -4,8 +4,6 @@
#
# create RSA certs - Server
RANDFILE = ./.rnd
####################################################################
[ req ]
distinguished_name = req_distinguished_name


+ 0
- 1
test/Uss.cnf View File

@ -3,7 +3,6 @@
# This is mostly being used for generation of certificate requests.
#
RANDFILE = ./.rnd
CN2 = Brother 2
####################################################################


+ 0
- 7
test/conf_include_test.c View File

@ -90,13 +90,6 @@ static int test_load_config(void)
return 0;
}
/* verify whether RANDFILE is set correctly */
str = NCONF_get_string(conf, "", "RANDFILE");
if (!TEST_ptr(str) || !TEST_str_eq(str, "./.rnd")) {
TEST_note("RANDFILE incorrect");
return 0;
}
/* verify whether CA_default/default_days is set */
val = 0;
if (!TEST_int_eq(NCONF_get_number(conf, "CA_default", "default_days", &val), 1)


+ 0
- 4
test/recipes/25-test_req.t View File

@ -19,10 +19,6 @@ plan tests => 13;
require_ok(srctop_file('test','recipes','tconversion.pl'));
open RND, ">>", ".rnd";
print RND "string to make the random number generator think it has randomness";
close RND;
# What type of key to generate?
my @req_new;
if (disabled("rsa")) {


+ 0
- 4
test/recipes/80-test_ssl_old.t View File

@ -100,10 +100,6 @@ testssl("keyU.ss", $Ucert, $CAcert);
# -----------
# subtest functions
sub testss {
open RND, ">>", ".rnd";
print RND "string to make the random number generator think it has randomness";
close RND;
my @req_dsa = ("-newkey",
"dsa:".srctop_file("apps", "dsa1024.pem"));
my $dsaparams = srctop_file("apps", "dsa1024.pem");


+ 0
- 3
test/recipes/90-test_includes_data/conf-includes/includes1.cnf View File

@ -4,8 +4,6 @@
# This is mostly being used for generation of certificate requests.
#
RANDFILE = ./.rnd
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
@ -23,7 +21,6 @@ certificate = $dir/CAcert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/CAkey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL


+ 0
- 1
test/smime-certs/ca.cnf View File

@ -5,7 +5,6 @@
# This definition stops the following lines choking if HOME or CN
# is undefined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
CN = "Not Defined"
default_ca = ca


+ 0
- 3
test/test.cnf View File

@ -3,8 +3,6 @@
# This is mostly being used for generation of certificate requests.
#
RANDFILE = ./.rnd
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
@ -22,7 +20,6 @@ certificate = $dir/CAcert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/CAkey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL


Loading…
Cancel
Save