[Date Prev][Date Next]
Re: TLS_RANDFILE not recognized in ldap.conf/.ldaprc (ITS#733)
At 10:24 PM 9/12/00 +0200, Michael Weiser wrote:
>Hello Kurt, you wrote:
>>It wasn't an oversight. It was done purposely as sharing (static)
>>randfiles is not wise from a security standpoint. If a system
>>wise source of entropy is available which can be read using read(2),
>>then it should be configured as the URANDOM_DEVICE.
>But egd and prngd use a unix domain socket and not a device file. So
>you have to read via RAND_egd() and not RAND_read_file().
> Or am I missing something?
I wasn't thinking...
Anyways, would be nice if the library could be configured to
>Perhaps there should be an extra option TLS_EGD_SOCKET or so which
>only tries a RAND_egd() and gives up on error so that it can be
>non-user-only? It could be overrideable by TLS_RANDFILE. I got it
>halfway implemented here in five minutes, so I could complete it
>almost instantly if you agree.
Might as well just reuse the existing argument... maybe this
can be handled with file owner checks.