On Thu, Feb 22, 2001 at 03:03:16PM -0800, Geoff Thorpe wrote:
>
> Hmm ... I'm fast closing in on the conclusion that we just *warn* people (BTW:
> Lutz is already touching up the man pages for this - I think he's mostly waiting
> for me to stop making mistakes and changing it :-). Ie. "if you write a callback
> because you need some structure in the generated session IDs based on whatever -
> thread IDs, machine names/addresses, etc - then make it good, make it random,
> spread it well, and try to do it in a way where an identical piece of software
> running elsewhere won't conflict ... To this end, implementors are encouraged to
> harness the RAND_*** functions for good nutritious ID generation." Or something
> perhaps a little more explanatory and a little less floral. But, in essence, we
> need the man-page equivalent of "if you write a callback, cache collisions and
> anomolies between local versus external cachine are *your* problem".
You had the draft of the man page and might have changed it yourself :-)
Anyway, I will add a corresponding remark and encourage people to always
use the maximum length possible and fill with random bytes to make collisions
as unlikely as possible.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
