[Cryptography] [FORGED] Re: OpenSSL and random

Watson Ladd watsonbladd at gmail.com
Tue Nov 29 14:08:21 EST 2016

On Nov 29, 2016 11:00 AM, "Salz, Rich" <rsalz at akamai.com> wrote:
> Tens of thousands of individual developers and sysadmins have downloaded,
built, and installed OpenSSL.  A handful of distributions also do that, and
bundle it with their release. For a variety of understandable reasons, said
distro's are always out of date.
> > Real developers are not generally crypto geeks.  They need an alarm
bell like this to go off to let them know when something is wrong.
> And if the alarm bell is "apache won't start" they will throw out openssl
or swamp us with email or perhaps fall back to plaintext.
> Servers do not have keyboards or screens that can be scraped for a source
of entropy.

They have RDRAND. Silent failure is not a good idea. Can any user of
OpenSSL be sure the random number generator is properly set up?
> --
> Senior Architect, Akamai Technologies
> Member, OpenSSL Dev Team
> IM: richsalz at jabber.at Twitter: RichSalz
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161129/b338c972/attachment.html>

More information about the cryptography mailing list