I am currently evaluating the Apache-SSL and mod_ssl packages.
For both of them, I have problems to locate any random number
generator initialisation stuff. I want to be sure, of course, that
the random number generators have a sufficiently inpredictable state
when they are used to generate temporary asymmetric keys (and the
other random numbers needed by the SSL/TLS protocols, but the
temporary keys are the most important issue).
What approach for random number generator initialisation do the
packages take? As said above, my quick search (basically a
case-insensitive grep for strings like rnd, rand and fast skimming
through the files) was unsuccesful. SSLeay's own random number
initialisation doesn't get too much entropy, and anyway, there is
(AFAIK) no way to tell how much entropy SSLeay would have managed to
find.
I would like to have directives that tell the software packages how to
find randomness -- e.g. something allowing me to do things like
SSLRandomInit "dd if=/dev/random count=2"
SSLRandomInit "ps -Alf"
and also something like
SSLRandomBufferFile private/rand
where the given file would be used similar to how the RANDFILE from
ssleay.cnf (e.g. ~/.rnd) is used by SSLeay's "req" application.
In any case, the documentation of the software packages should state
where randomness is collected and, possibly, how much entropy we could
hope to gain that way.
Bodo Moeller
[EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
