secure-coding (547d801)

sparks Thu, 29 May 2014 08:54:54 -0700

Repository : http://git.fedorahosted.org/git/?p=secure-coding.git


On branch  : master

>---------------------------------------------------------------

commit 547d8017443dc8f27cde63a6026bf8b0d2ff2770
Merge: e9907e4 c0c8caa
Author: Eric Christensen <echri...@redhat.com>
Date:   Thu May 29 11:53:43 2014 -0400

    Merge branch 'master' of git+ssh://git.fedorahosted.org/git/secure-coding



>---------------------------------------------------------------

 Securing_TLS/en-US/mod_ssl.xml |   15 ++++++++++++---
 1 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/Securing_TLS/en-US/mod_ssl.xml b/Securing_TLS/en-US/mod_ssl.xml
index 3441d0a..365b0bb 100644
--- a/Securing_TLS/en-US/mod_ssl.xml
+++ b/Securing_TLS/en-US/mod_ssl.xml
@@ -22,7 +22,8 @@
 Listen 443 https
 </screen>
 This specifies the port that httpd should listen to for SSL/TLS traffic.  Port 
443 is the standard port for https.
-
+</para>
+<para>
 <screen>
 #   Pseudo Random Number Generator (PRNG):
 #   Configure one or more sources to seed the PRNG of the 
@@ -39,10 +40,18 @@ SSLRandomSeed connect builtin
 #SSLRandomSeed startup file:/dev/random  512
 #SSLRandomSeed connect file:/dev/random  512
 #SSLRandomSeed connect file:/dev/urandom 512
+#SSLRandomSeed connect exec:/usr/local/bin/rand 16
 </screen>
 
-The random number generator is very important for cryptology and this is where 
those settings get established.  By default the pseudo-random number generator 
is defined here although if you have another source of random data you can put 
that here.
-
+The random number generator is very important for cryptology and this is where 
those settings get established.  By default the pseudo-random number generator 
is configured here although if you have another source of random data you can 
specify it here.
+</para>
+<para>
+For Linux systems, the quality of entropy provided by 
<literal>/dev/urandom</literal> is very high so we recommend its use for both 
<literal>startup</literal> and <literal>connect</literal>.  The number of bytes 
read should be left at 256 for <literal>startup</literal> as it has minimal 
impact on performance, and set to 32 for the <literal>connect</literal> use 
(256 bits).  This provides enough entropy for both internal operation and for 
ServerRandom value in TLS (which is limited to 256 bits).
+</para>
+<para>
+In cases where the system on which <literal>mod_ssl</literal> is running is 
slow and doesn't have a hardware random number generator, we highly recommend 
to set the values to the ones quoted in the above example.
+</para>
+<para>
 <screen>
 # Use "SSLCryptoDevice" to enable any supported hardware
 # accelerators. Use "openssl engine -v" to list supported

--
security mailing list
security@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/security

[Secure Coding] master: Merge branch 'master' of git+ssh://git.fedorahosted.org/git/secure-coding (547d801)

Reply via email to