[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS_RANDFILE not recognized in ldap.conf/.ldaprc (ITS#733)

At 10:24 PM 9/12/00 +0200, Michael Weiser wrote:
>Hello Kurt, you wrote:
>>It wasn't an oversight.  It was done purposely as sharing (static)
>>randfiles is not wise from a security standpoint.  If a system
>>wise source of entropy is available which can be read using read(2),
>>then it should be configured as the URANDOM_DEVICE.
>But egd and prngd use a unix domain socket and not a device file. So
>you have to read via RAND_egd() and not RAND_read_file().


> Or am I missing something?

I wasn't thinking...

Anyways, would be nice if the library could be configured to
attepmt RAND_egd().

>Perhaps there should be an extra option TLS_EGD_SOCKET or so which
>only tries a RAND_egd() and gives up on error so that it can be
>non-user-only? It could be overrideable by TLS_RANDFILE. I got it
>halfway implemented here in five minutes, so I could complete it
>almost instantly if you agree.

Might as well just reuse the existing argument...   maybe this
can be handled with file owner checks.