[Cryptography] [FORGED] Re: OpenSSL and random
Theodore Ts'o
tytso at mit.edu
Tue Nov 29 20:09:11 EST 2016
On Linux, my recommendation is to use getrandom(2) on Linux; you'll
have to use syscall to access it because glibc developers are being,
well.... very glibc. If it doesn't exist, fall back to /dev/urandom.
In practice this should be good enough for most OpenSSL users, since
by the time Apache fires up, in practice /dev/urandom will be seeded.
(Within 3-5 seconds after boot you should see kernel message to that
effect.)
I am worried about silly distro init scripts that create random host
ssh keys in very early boot, but that's generally not an issue for
most OpenSSL uesrs.
Cheers,
- Ted
More information about the cryptography
mailing list