Thanks to the recent openssl problems I reran exim-gencert (with
--force). Is the "?unable to write ''random state''"
message shown below
cause for concern?
--------------------------------------------------
corn:/etc/exim4# /usr/share/doc/exim4-base/examples/exim-gencert --force
[*] Creating a self signed SSL certificate for Exim!
This may be sufficient to establish encrypted connections but for
secure identification you need to buy a real certificate!
Please enter the hostname of your MTA at the Common Name (CN)
prompt!
Generating a 1024 bit RSA private key
.....++++++
..++++++
unable to write ''random state''
writing new private key to ''/etc/exim4/exim.key''
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
[etc]
----------------------------------------------------
Things seemed to run OK, and I have new certificates. I don''t see
mention of this error message in the exim-gencert code or the openssl
man page.
I have some related questions as well.
Does exim have any other certificates or anything else that needs to be
regenerated because of the openssl problems? I realize peer systems may
also need updates, and that other mail software (e.g., IMAP servers) may
have their own problems. My question is about exim itself.
While looking at exim-gencert I found these lines:
openssl req -config $SSLEAY -x509 -newkey rsa:1024 -keyout $KEY -out
$CERT -days $DAYS -nodes
#see README.Debian.gz*# openssl dhparam -check -text -5 512 -out $DH
rm -f $SSLEAY
Is the commented out line a reference to README.Debian''s section 2.2.3
discussion of Diffie-Hellman parameters? When I was trying to find the
relevant section I searched on dhparam and found nothing.
Thanks.
Ross Boylan
On Thu, May 15, 2008 at 08:29:08PM -0700, Ross Boylan wrote:> Thanks to the recent openssl problems I reran exim-gencert (with > --force). Is the "?unable to write ''random state''" message shown below > cause for concern?No idea.> -------------------------------------------------- > corn:/etc/exim4# /usr/share/doc/exim4-base/examples/exim-gencert --force > [*] Creating a self signed SSL certificate for Exim! > This may be sufficient to establish encrypted connections but for > secure identification you need to buy a real certificate! > > Please enter the hostname of your MTA at the Common Name (CN) > prompt! > > Generating a 1024 bit RSA private key > .....++++++ > ..++++++ > unable to write ''random state'' > writing new private key to ''/etc/exim4/exim.key'' > -----Can you try strace -f on exim-gencert to find out which file it is trying to access? Greetins Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don''t trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190
Marc Haber wrote:> On Thu, May 15, 2008 at 08:29:08PM -0700, Ross Boylan wrote: >> Thanks to the recent openssl problems I reran exim-gencert (with >> --force). Is the "?unable to write ''random state''" message shown below >> cause for concern? > > No idea.This might be of help to the original poster: http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html I didn''t get such messages when generating cerificates using the commands described there. I do recall having this "unable to write ''random state''" when using exim-gencert and just ignored at the time. Greetings, Jeroen