Bugtraq mailing list archives
Re: qmail starttls patch does not seed the random number generator
From: Frederik Vermeulen <jos-tls () kotnet org>
Date: Thu, 16 Aug 2001 22:47:36 +0200 (METDST)
Felix von Leitner wrote:
openssl-0.9.6b does not allow ssl/tls connections when the random number has not been seeded. This is a good idea, and it exposes that the starttls patch for qmail does not seed the random number generator.
I (patch maintainer) second the response of Brian Hatch in <20010815105637.A30794 () ifokr org>. On systems that support /dev/urandom, the openssl library uses it to seed the PRNG, without the need to call RAND_seed in the application. On other systems, it will fail to set up a TLS connection as you reported. This is also the case with openssl versions < 0.9.6b. I see no security problem with this behavior. The openssl library provides the possibility to provide PRNG seeding in the application. This moves the problem of providing a platform specific PRNG seeding function from the cryptographic library to the application programmer. The third way is to have the PRNG seeding code in an entropy gathering daemon (EGD). This keeps the application code platform-independent (only EGD interfacing code is needed). You report that your system has /dev/urandom, but openssl does not use it. Are you sure DEVRANDOM in openssl/e_os.h was defined to /dev/urandom when openssl was compiled? Regards, Frederik
Current thread:
- qmail starttls patch does not seed the random number generator Felix von Leitner (Aug 15)
- Re: qmail starttls patch does not seed the random number generator Wojciech Purczynski (Aug 15)
- Re: qmail starttls patch does not seed the random number generator Jack Lloyd (Aug 15)
- Re: qmail starttls patch does not seed the random number generator Scott Renfro (Aug 16)
- Re: qmail starttls patch does not seed the random number generator D. J. Bernstein (Aug 19)
- Re: qmail starttls patch does not seed the random number generator Jack Lloyd (Aug 15)
- Re: qmail starttls patch does not seed the random number generator Brian Hatch (Aug 15)
- Re: qmail starttls patch does not seed the random number generator Frederik Vermeulen (Aug 16)
- Re: qmail starttls patch does not seed the random number generator Wojciech Purczynski (Aug 15)