[Cryptography] [FORGED] Re: OpenSSL and random

Tom Mitchell mitch at niftyegg.com
Tue Nov 29 21:04:56 EST 2016

On Tue, Nov 29, 2016 at 10:20 AM, Salz, Rich <rsalz at akamai.com> wrote:

> Tens of thousands of individual developers and sysadmins have downloaded,
> built, and installed OpenSSL.  A handful of distributions also do that, and
> bundle it with their release. For a variety of understandable reasons, said
> distro's are always out of date.
> > Real developers are not generally crypto geeks.  They need an alarm bell
> like this to go off to let them know when something is wrong.
> And if the alarm bell is "apache won't start" they will throw out openssl
> or swamp us with email or perhaps fall back to plaintext.
> <cryptography at metzdowd.com>

Invite the world to get it correct add worthy options to examples on
Lots of bad code starts there... so add some good code.

google for:   site:stackexchange.com random urandom dev/random dev/urandom
 sample the offered solutions.
As a group a small group here could ask and answer questions that could be
Sure that is a shill game but a valuable way to share known solutions and
update them.

OpenSSL could have a go-get-rand() function that is #ifdef rich and does
all the
right things.   For the systems that ./configure does not find worthy
foundations and
tools have a configure option that is a lot like  $HobbledInsecureMachine
 and then
use internet timeouts and other "weak solutions".


For blocking sources read a small number of bits at a time and time
them each read to know how sluggish the application might feel.  Stop with
the TRNG
and seed a PNRG with the TRN set you have and local environment...
Blocking reads are the bane of programmers... as are hidden buffers as
small as
four characters.

  T o m    M i t c h e l l
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161129/ad404ce9/attachment.html>

More information about the cryptography mailing list