On Wed, Aug 21, 2013 at 2:19 AM, Patrick Pelletier
<c...@funwithsoftware.org> wrote:
> An easy way to work around this, if you don't mind linking against pthreads,
> is to do this at the start of your application, after initializing OpenSSL:
> typedef void (*voidfunc) (void);
> if (ENGINE_get_default_RAND () == NULL)
>   pthread_atfork (NULL, (voidfunc) RAND_poll, (voidfunc) RAND_poll);

This is a pretty standard thing to do, and Solaris' libpkcs11 does it
(not to add entropy but to re-initialize, since PKCS#11 requires all
session and object handles to no longer be usable on the child-side of

> But, of course, this ought to eventually be fixed in OpenSSL itself. (By
> using the pid-comparison trick that libottery uses, rather than just mixing
> in the pid.)  I'm happy to submit a patch, if we think there's a good chance
> it would be considered?

OpenSSL should use pthread_atfork() and mix in more /dev/urandom into
its pool in the child-side of the fork(),  Only a child-side handler
is needed, FYI, unless there's locks to acquire and release, in which
case you also need a pre-fork and parent-side handlers, or unless
fork() is just a good excuse to add entropy to the pool on the parent
side anyways :)

OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to