How does OpenSSL generate random number for the client side during an SSL
handshaking?
Does it reply on the presence of something like ".rnd" file?
Bodo Moeller wrote:
> On Tue, Oct 12, 1999 at 11:43:01AM -0300, Miguel Angel Fraga wrote:
>
> >> OpenSSL does not contain a "RNG". It uses a cryptographic PRNG, which
> >> you as the application programmer have to initialize by calling
> >> RAND_seed() with appropriate input.
>
> >> In the case of Windows, one method for creating such input is to ask
> >> the user to move the mouse and use the the coordinates of the
> >> WM_MOUSEMOVE messages you get and the respective system time.
>
> > It seems to be a good choice.
> > Has anyone added such a feature to RAND_seed()?
> > If not I propose fix it for the next OpenSSL-Release.
>
> The application has to take care of this, not the library. A generic
> solution is not possible; e.g. for servers, you cannot expect the
> mouse to move at all. The seeding that OpenSSL does automatically
> suffices on certain platforms, but one should not rely on such
> possibilities being available. One part of a solution for application
> programs is to do what the "openssl" utility does: it expects to find
> random input in a file (usually $HOME/.rnd) and writes an updated
> random state back later.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
