[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS_RANDFILE not recognized in ldap.conf/.ldaprc (ITS#733)

To: Michael Weiser <michael@weiser.saale-net.de>
Subject: Re: TLS_RANDFILE not recognized in ldap.conf/.ldaprc (ITS#733)
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Tue, 12 Sep 2000 14:59:02 -0700
Cc: openldap-bugs@OpenLDAP.org
In-reply-to: <2l2trs8vic3ficecqcgkiaoktsjrd7i070@mail.weiser.saale-net.d e>
References: <200009121907.e8CJ7gj48560@galois.openldap.org> <200009121907.e8CJ7gj48560@galois.openldap.org>

At 10:24 PM 9/12/00 +0200, Michael Weiser wrote:
>Hello Kurt, you wrote:
>>It wasn't an oversight.  It was done purposely as sharing (static)
>>randfiles is not wise from a security standpoint.  If a system
>>wise source of entropy is available which can be read using read(2),
>>then it should be configured as the URANDOM_DEVICE.
>But egd and prngd use a unix domain socket and not a device file. So
>you have to read via RAND_egd() and not RAND_read_file().

correct.

> Or am I missing something?

I wasn't thinking...

Anyways, would be nice if the library could be configured to
attepmt RAND_egd().


>Perhaps there should be an extra option TLS_EGD_SOCKET or so which
>only tries a RAND_egd() and gives up on error so that it can be
>non-user-only? It could be overrideable by TLS_RANDFILE. I got it
>halfway implemented here in five minutes, so I could complete it
>almost instantly if you agree.

Might as well just reuse the existing argument...   maybe this
can be handled with file owner checks.

Kurt

References:
- Re: TLS_RANDFILE not recognized in ldap.conf/.ldaprc (ITS#733)
  - From: Kurt@OpenLDAP.org

Prev by Date: missing end-of-line in slapd/entry.c (ITS#737)
Next by Date: Memory leak on Solaris 8? (ITS#736)
Index(es):
- Chronological
- Thread