diff options
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | demos/certs/apps/apps.cnf | 1 | ||||
| -rw-r--r-- | demos/certs/ca.cnf | 1 | ||||
| -rw-r--r-- | doc/man1/openssl-ca.pod.in | 10 | ||||
| -rw-r--r-- | doc/man1/openssl-req.pod.in | 2 | ||||
| -rw-r--r-- | doc/man1/openssl-ts.pod.in | 21 | ||||
| -rw-r--r-- | doc/man5/config.pod | 1 | ||||
| -rw-r--r-- | test/CAss.cnf | 3 | ||||
| -rw-r--r-- | test/CAssdh.cnf | 2 | ||||
| -rw-r--r-- | test/CAssdsa.cnf | 2 | ||||
| -rw-r--r-- | test/CAssrsa.cnf | 2 | ||||
| -rw-r--r-- | test/CAtsa.cnf | 3 | ||||
| -rw-r--r-- | test/P1ss.cnf | 2 | ||||
| -rw-r--r-- | test/P2ss.cnf | 2 | ||||
| -rw-r--r-- | test/Sssdsa.cnf | 2 | ||||
| -rw-r--r-- | test/Sssrsa.cnf | 2 | ||||
| -rw-r--r-- | test/Uss.cnf | 1 | ||||
| -rw-r--r-- | test/conf_include_test.c | 7 | ||||
| -rw-r--r-- | test/recipes/25-test_req.t | 4 | ||||
| -rw-r--r-- | test/recipes/80-test_ssl_old.t | 4 | ||||
| -rw-r--r-- | test/recipes/90-test_includes_data/conf-includes/includes1.cnf | 3 | ||||
| -rw-r--r-- | test/smime-certs/ca.cnf | 1 | ||||
| -rw-r--r-- | test/test.cnf | 3 |
23 files changed, 25 insertions, 55 deletions
diff --git a/.gitignore b/.gitignore index 8629499c49..eb95e48bfe 100644 --- a/.gitignore +++ b/.gitignore @@ -124,7 +124,6 @@ doc/man1/openssl-x509.pod /out32dll.dbg /inc32 /MINFO -/ms/.rnd /ms/bcb.mak /ms/libeay32.def /ms/nt.mak diff --git a/demos/certs/apps/apps.cnf b/demos/certs/apps/apps.cnf index 531afe64b2..bd762b7ddc 100644 --- a/demos/certs/apps/apps.cnf +++ b/demos/certs/apps/apps.cnf @@ -5,7 +5,6 @@ # This definition stops the following lines choking if HOME or CN # is undefined. HOME = . -RANDFILE = $ENV::HOME/.rnd CN = "Not Defined" #################################################################### diff --git a/demos/certs/ca.cnf b/demos/certs/ca.cnf index 5a8a5f29ef..c75a71a6aa 100644 --- a/demos/certs/ca.cnf +++ b/demos/certs/ca.cnf @@ -5,7 +5,6 @@ # This definition stops the following lines choking if HOME or CN # is undefined. HOME = . -RANDFILE = $ENV::HOME/.rnd CN = "Not Defined" default_ca = ca diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in index 6df41d897f..c439fde5d9 100644 --- a/doc/man1/openssl-ca.pod.in +++ b/doc/man1/openssl-ca.pod.in @@ -446,7 +446,8 @@ CA private key. Mandatory. =item B<RANDFILE> At startup the specified file is loaded into the random number generator, -and at exit 256 bytes will be written to it. +and at exit 256 bytes will be written to it. (Note: Using a RANDFILE is +not necessary anymore, see the L</HISTORY> section. =item B<default_days> @@ -654,7 +655,6 @@ A sample configuration file with the relevant sections for this command: serial = $dir/serial # serial no file #rand_serial = yes # for random serial#'s private_key = $dir/private/cakey.pem# CA private key - RANDFILE = $dir/private/.rand # random number file default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL @@ -690,7 +690,6 @@ The values below reflect the default values. ./demoCA/index.txt - CA text database file ./demoCA/index.txt.old - CA text database backup file ./demoCA/certs - certificate output file - ./demoCA/.rnd - CA random seed information =head1 RESTRICTIONS @@ -767,6 +766,11 @@ B<-enddate> and B<-days>) will be encoded as UTCTime if the dates are earlier than year 2049 (included), and as GeneralizedTime if the dates are in year 2050 or later. +OpenSSL 1.1.1 introduced a new random generator (CSPRNG) with an improved +seeding mechanism. The new seeding mechanism makes it unnecessary to +define a RANDFILE for saving and restoring randomness. This option is +retained mainly for compatibility reasons. + =head1 SEE ALSO L<openssl(1)>, diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in index 8ca4acc111..83aa1ad54e 100644 --- a/doc/man1/openssl-req.pod.in +++ b/doc/man1/openssl-req.pod.in @@ -592,8 +592,6 @@ Sample configuration file prompting for field values: Sample configuration containing all field values: - RANDFILE = $ENV::HOME/.rnd - [ req ] default_bits = 2048 default_keyfile = keyfile.pem diff --git a/doc/man1/openssl-ts.pod.in b/doc/man1/openssl-ts.pod.in index 035763260d..6827fe84d1 100644 --- a/doc/man1/openssl-ts.pod.in +++ b/doc/man1/openssl-ts.pod.in @@ -403,15 +403,23 @@ section can be overridden with the B<-section> command line switch. (Optional) =item B<oid_file> -See L<openssl-ca(1)> for description. (Optional) +This specifies a file containing additional B<OBJECT IDENTIFIERS>. +Each line of the file should consist of the numerical form of the +object identifier followed by white space then the short name followed +by white space and finally the long name. (Optional) =item B<oid_section> -See L<openssl-ca(1)> for description. (Optional) +This specifies a section in the configuration file containing extra +object identifiers. Each line should consist of the short name of the +object identifier followed by B<=> and the numerical form. The short +and long names are the same when this option is used. (Optional) =item B<RANDFILE> -See L<openssl-ca(1)> for description. (Optional) +At startup the specified file is loaded into the random number generator, +and at exit 256 bytes will be written to it. (Note: Using a RANDFILE is +not necessary anymore, see the L</HISTORY> section. =item B<serial> @@ -644,6 +652,13 @@ test/testtsa). =back +=head1 HISTORY + +OpenSSL 1.1.1 introduced a new random generator (CSPRNG) with an improved +seeding mechanism. The new seeding mechanism makes it unnecessary to +define a RANDFILE for saving and restoring randomness. This option is +retained mainly for compatibility reasons. + =head1 SEE ALSO L<openssl(1)>, diff --git a/doc/man5/config.pod b/doc/man5/config.pod index 4b8465594a..1776439edd 100644 --- a/doc/man5/config.pod +++ b/doc/man5/config.pod @@ -416,7 +416,6 @@ mentioned above. # This is the default section. HOME=/temp - RANDFILE= ${ENV::HOME}/.rnd configdir=$ENV::HOME/config [ section_one ] diff --git a/test/CAss.cnf b/test/CAss.cnf index b20a242760..8ca62b5cf7 100644 --- a/test/CAss.cnf +++ b/test/CAss.cnf @@ -3,8 +3,6 @@ # This is mostly being used for generation of certificate requests. # -RANDFILE = ./.rnd - #################################################################### [ req ] default_bits = 2048 @@ -43,7 +41,6 @@ certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key -RANDFILE = $dir/private/.rand # private random number file x509_extensions = v3_ca # The extensions to add to the cert diff --git a/test/CAssdh.cnf b/test/CAssdh.cnf index 4e0a908679..7c08a6e1cc 100644 --- a/test/CAssdh.cnf +++ b/test/CAssdh.cnf @@ -4,8 +4,6 @@ # # hacked by iang to do DH certs - CA -RANDFILE = ./.rnd - #################################################################### [ req ] distinguished_name = req_distinguished_name diff --git a/test/CAssdsa.cnf b/test/CAssdsa.cnf index a6b4d1810c..8328abd7b4 100644 --- a/test/CAssdsa.cnf +++ b/test/CAssdsa.cnf @@ -4,8 +4,6 @@ # # hacked by iang to do DSA certs - CA -RANDFILE = ./.rnd - #################################################################### [ req ] distinguished_name = req_distinguished_name diff --git a/test/CAssrsa.cnf b/test/CAssrsa.cnf index eb24a6dfc0..d5aa20a72b 100644 --- a/test/CAssrsa.cnf +++ b/test/CAssrsa.cnf @@ -4,8 +4,6 @@ # # create RSA certs - CA -RANDFILE = ./.rnd - #################################################################### [ req ] distinguished_name = req_distinguished_name diff --git a/test/CAtsa.cnf b/test/CAtsa.cnf index d1642879be..e7ca8c5a1e 100644 --- a/test/CAtsa.cnf +++ b/test/CAtsa.cnf @@ -3,8 +3,6 @@ # This config is used by the Time Stamp Authority tests. # -RANDFILE = ./.rnd - # Extra OBJECT IDENTIFIER info: oid_section = new_oids @@ -32,7 +30,6 @@ new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number private_key = $dir/private/cakey.pem# The private key -RANDFILE = $dir/private/.rand # private random number file default_days = 365 # how long to certify for default_md = sha256 # which md to use. diff --git a/test/P1ss.cnf b/test/P1ss.cnf index e6118dc816..03f3cdb1ad 100644 --- a/test/P1ss.cnf +++ b/test/P1ss.cnf @@ -3,8 +3,6 @@ # This is mostly being used for generation of certificate requests. # -RANDFILE = ./.rnd - #################################################################### [ req ] default_bits = 2048 diff --git a/test/P2ss.cnf b/test/P2ss.cnf index d530e31f99..5adaecc7d5 100644 --- a/test/P2ss.cnf +++ b/test/P2ss.cnf @@ -3,8 +3,6 @@ # This is mostly being used for generation of certificate requests. # -RANDFILE = ./.rnd - #################################################################### [ req ] default_bits = 2048 diff --git a/test/Sssdsa.cnf b/test/Sssdsa.cnf index 8e170a28ef..2fb35e0880 100644 --- a/test/Sssdsa.cnf +++ b/test/Sssdsa.cnf @@ -4,8 +4,6 @@ # # hacked by iang to do DSA certs - Server -RANDFILE = ./.rnd - #################################################################### [ req ] distinguished_name = req_distinguished_name diff --git a/test/Sssrsa.cnf b/test/Sssrsa.cnf index 8c79a03fca..f2b6e72b91 100644 --- a/test/Sssrsa.cnf +++ b/test/Sssrsa.cnf @@ -4,8 +4,6 @@ # # create RSA certs - Server -RANDFILE = ./.rnd - #################################################################### [ req ] distinguished_name = req_distinguished_name diff --git a/test/Uss.cnf b/test/Uss.cnf index f655e7448d..27517bd106 100644 --- a/test/Uss.cnf +++ b/test/Uss.cnf @@ -3,7 +3,6 @@ # This is mostly being used for generation of certificate requests. # -RANDFILE = ./.rnd CN2 = Brother 2 #################################################################### diff --git a/test/conf_include_test.c b/test/conf_include_test.c index 16459c46d7..0cf8d49740 100644 --- a/test/conf_include_test.c +++ b/test/conf_include_test.c @@ -90,13 +90,6 @@ static int test_load_config(void) return 0; } - /* verify whether RANDFILE is set correctly */ - str = NCONF_get_string(conf, "", "RANDFILE"); - if (!TEST_ptr(str) || !TEST_str_eq(str, "./.rnd")) { - TEST_note("RANDFILE incorrect"); - return 0; - } - /* verify whether CA_default/default_days is set */ val = 0; if (!TEST_int_eq(NCONF_get_number(conf, "CA_default", "default_days", &val), 1) diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t index 6da8e897f5..0e085b435d 100644 --- a/test/recipes/25-test_req.t +++ b/test/recipes/25-test_req.t @@ -19,10 +19,6 @@ plan tests => 13; require_ok(srctop_file('test','recipes','tconversion.pl')); -open RND, ">>", ".rnd"; -print RND "string to make the random number generator think it has randomness"; -close RND; - # What type of key to generate? my @req_new; if (disabled("rsa")) { diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t index 0290b489eb..2d213b7daa 100644 --- a/test/recipes/80-test_ssl_old.t +++ b/test/recipes/80-test_ssl_old.t @@ -100,10 +100,6 @@ testssl("keyU.ss", $Ucert, $CAcert); # ----------- # subtest functions sub testss { - open RND, ">>", ".rnd"; - print RND "string to make the random number generator think it has randomness"; - close RND; - my @req_dsa = ("-newkey", "dsa:".srctop_file("apps", "dsa1024.pem")); my $dsaparams = srctop_file("apps", "dsa1024.pem"); diff --git a/test/recipes/90-test_includes_data/conf-includes/includes1.cnf b/test/recipes/90-test_includes_data/conf-includes/includes1.cnf index 66c89006d0..5959b23e4b 100644 --- a/test/recipes/90-test_includes_data/conf-includes/includes1.cnf +++ b/test/recipes/90-test_includes_data/conf-includes/includes1.cnf @@ -4,8 +4,6 @@ # This is mostly being used for generation of certificate requests. # -RANDFILE = ./.rnd - #################################################################### [ ca ] default_ca = CA_default # The default ca section @@ -23,7 +21,6 @@ certificate = $dir/CAcert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/CAkey.pem# The private key -RANDFILE = $dir/private/.rand # private random number file default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL diff --git a/test/smime-certs/ca.cnf b/test/smime-certs/ca.cnf index 835b2c672d..00d40e7479 100644 --- a/test/smime-certs/ca.cnf +++ b/test/smime-certs/ca.cnf @@ -5,7 +5,6 @@ # This definition stops the following lines choking if HOME or CN # is undefined. HOME = . -RANDFILE = $ENV::HOME/.rnd CN = "Not Defined" default_ca = ca diff --git a/test/test.cnf b/test/test.cnf index 718b0bf1f2..1e2fa31cce 100644 --- a/test/test.cnf +++ b/test/test.cnf @@ -3,8 +3,6 @@ # This is mostly being used for generation of certificate requests. # -RANDFILE = ./.rnd - #################################################################### [ ca ] default_ca = CA_default # The default ca section @@ -22,7 +20,6 @@ certificate = $dir/CAcert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/CAkey.pem# The private key -RANDFILE = $dir/private/.rand # private random number file default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL |