apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@ebuilt.com>
Subject Re: random number generation
Date Mon, 31 Dec 2001 22:07:02 GMT
Just to back up what Ben said (but with a little more explanation for those
of us who don't work in bomb shelters for a living), the true randomness of
the initialization function is necessary to maintain the strong encryption
characteristics of SSL.  If we make any attempt to reduce the entropy needed,
or replace it with any sort of PRNG (pseudo == NOT), then we reduce the SSL
algorithm to something any cheap PC can crack.  That is why OpenSSL refuses
to start without sufficient entropy.

We do not need to support SSL on a system without a true random source.
We should try to make use of all well-known sources of true random numbers,
but there is no need for SSL support to work on every platform.  The OS
folks will get around to supporting /dev/[u]random eventually.

....Roy


Mime
View raw message