[Pkg-openssl-devel] Bug#88728: openssl: usage of /dev/random should be possible
Sebastian Andrzej Siewior
sebastian at breakpoint.cc
Tue Nov 27 22:00:41 GMT 2018
Version: 1.1.1-1
On 2001-03-06 12:06:26 [+0100], Robert Bihlmeyer wrote:
> For libssl, /dev/urandom is probably the right default, as it can be
> used in circumstances with a time-security-tradeoff (e.g. webserver).
>
> OTOH, "openssl" has no time constraints, and needs maximum security -
> think: creation of a new CA key. Usage of /dev/random should be an
> option or even the default for Linux[1]. Unfortunately, it's not
> possible to just set RANDFILE to "/dev/random" (via environment or
> config file), because openssl then wants to read the *whole* file ...
> a Sisyphus task.
As of 1.1.1 getrandom() is used and it has its own rng on top of it so I
think we are good here.
Sebastian
More information about the Pkg-openssl-devel
mailing list