[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: TLS: random seed file is not updated (ITS#948)

> Full_Name: Gabor Gombas
> Version: 2.x-DEVEL
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (
> Hello,
> The TLS code in OpenLDAP has support using a regular file to seed the
> random number generator. The problem is, that this file is never
> updated. OpenSSL by default feeds some random information (such as
> the current time and process id) to the RNG which saves us from using
> exactly the same random number sequence every time, but this is
> not strong enough for cryptographic purposes. So either the seed file
> should be updated using RAND_write_file() when an application exits,
> or simply drop support for seed files and require the presence of
> either a kernel random device or egd.
> Gabor

I vote against dropping support entirely.  When one is developing
applications and experimenting with TLS/SSL support, all means possible
should be available to get things working.  Documentation should be
present to warn users that it is not cryptographically strong enough
to be secure for transmission over public networks, but don't take
away a feature that developers and testers may find useful.