[Cryptography] [FORGED] Re: OpenSSL and random
tytso at mit.edu
Tue Nov 29 20:09:11 EST 2016
On Linux, my recommendation is to use getrandom(2) on Linux; you'll
have to use syscall to access it because glibc developers are being,
well.... very glibc. If it doesn't exist, fall back to /dev/urandom.
In practice this should be good enough for most OpenSSL users, since
by the time Apache fires up, in practice /dev/urandom will be seeded.
(Within 3-5 seconds after boot you should see kernel message to that
I am worried about silly distro init scripts that create random host
ssh keys in very early boot, but that's generally not an issue for
most OpenSSL uesrs.
More information about the cryptography