[ Note that Karl might not have seen your list-only response. ]
Daniel Stenberg <[EMAIL PROTECTED]> writes:
> On Sat, 9 Jun 2001 [EMAIL PROTECTED] wrote:
>
>> About doing the random number seed for ssl, I dug up what lynx does, and
>> it looks like it wouldn't be difficult to do something similar in wget.
>> It appears this code was written by Mark Mentovai <[EMAIL PROTECTED]>,
>> http://www.moxienet.com/.
>
> I don't think this Lynx random seeding is what could be considered "Good
> Enough" for any half-baked cryptographer.
Given that the alternative is not working at all, I think I'll take
the simple approach for 1.7.1. If it was good enough for Lynx, it
will be good enough for Wget, at least until someone comes up with a
patch that implements a better solution.
> I'd suggest that you
>
> 1 - Use RAND_egd() for reading true random data if such is available (this
> needs to be checked for in the configure script, as RAND_egd() wasn't
> introduced until OpenSSL 0.9.5). This would also benefit from a command
> line option to specify the egd socket. EGD = Entrophy Gathering Daemon.
>
> 2 - Use RAND_screen() for windows based systems (gets random data off the
> screen).
>
> 3 - Allow a user-specified file for reading random data from with
> RAND_load_file()
>
> 4 - Use RAND_file_name() to get what default file (if any) to read random
> data from. (This seems to be done in the lynx code)
>
> 5 - *then* you go with the srand(), time and pid seeding stuff.
>
> I'm not saying curl is the perfect code in this aspect either, I just think
> it does a whole lot better...
