On Wed, Aug 21, 2013 at 2:19 AM, Patrick Pelletier <c...@funwithsoftware.org> wrote: > An easy way to work around this, if you don't mind linking against pthreads, > is to do this at the start of your application, after initializing OpenSSL: > > typedef void (*voidfunc) (void); > > if (ENGINE_get_default_RAND () == NULL) > pthread_atfork (NULL, (voidfunc) RAND_poll, (voidfunc) RAND_poll);
This is a pretty standard thing to do, and Solaris' libpkcs11 does it (not to add entropy but to re-initialize, since PKCS#11 requires all session and object handles to no longer be usable on the child-side of fork()). > But, of course, this ought to eventually be fixed in OpenSSL itself. (By > using the pid-comparison trick that libottery uses, rather than just mixing > in the pid.) I'm happy to submit a patch, if we think there's a good chance > it would be considered? OpenSSL should use pthread_atfork() and mix in more /dev/urandom into its pool in the child-side of the fork(), Only a child-side handler is needed, FYI, unless there's locks to acquire and release, in which case you also need a pre-fork and parent-side handlers, or unless fork() is just a good excuse to add entropy to the pool on the parent side anyways :) Nico -- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org