This should have gone to secur...@postgresql.org, instead. On Fri, Dec 21, 2012 at 06:05:10PM +0200, Marko Kreen wrote: > When there is 'ssl=on' then postmaster calls SSL_CTX_new(), > which asks for random number, thus requiring initialization > of randomness pool (RAND_poll). After that all forked backends > think pool is already initialized. Thus they proceed with same > fixed state they got from postmaster.
> Attached patch makes both gen_random_bytes() and pgp_encrypt() > seed pool with output from gettimeofday(), thus getting pool > off from fixed state. Basically, this mirrors what SSL_accept() > already does. That adds only 10-20 bits of entropy. Is that enough? How about instead calling RAND_cleanup() after each backend fork? Thanks, nm -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers