[Date Prev][Date Next] [Chronological] [Thread] [Top]

TLS: random seed file is not updated (ITS#948)

Full_Name: Gabor Gombas
Version: 2.x-DEVEL
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (


The TLS code in OpenLDAP has support using a regular file to seed the
random number generator. The problem is, that this file is never
updated. OpenSSL by default feeds some random information (such as
the current time and process id) to the RNG which saves us from using
exactly the same random number sequence every time, but this is
not strong enough for cryptographic purposes. So either the seed file
should be updated using RAND_write_file() when an application exits,
or simply drop support for seed files and require the presence of
either a kernel random device or egd.