[Cryptography] [FORGED] Re: OpenSSL and random

Theodore Ts'o tytso at mit.edu
Tue Nov 29 20:09:11 EST 2016

On Linux, my recommendation is to use getrandom(2) on Linux; you'll
have to use syscall to access it because glibc developers are being,
well.... very glibc.  If it doesn't exist, fall back to /dev/urandom.

In practice this should be good enough for most OpenSSL users, since
by the time Apache fires up, in practice /dev/urandom will be seeded.
(Within 3-5 seconds after boot you should see kernel message to that

I am worried about silly distro init scripts that create random host
ssh keys in very early boot, but that's generally not an issue for
most OpenSSL uesrs.


					- Ted

More information about the cryptography mailing list