Thanks. RAND_status() is returning a 1 so I guess I am good for now. I put in an error message if it fails to return a 1.
I will keep an eye on this problem going forward. The product is designed to run as a Windows Service but I am currently testing in console mode. I will specifically watch what happens when I run as a service. (PITA to test as a Service and I am not going to do it today.) Thanks again for your help. Charles -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Thomsen, Brant Sent: Friday, August 24, 2012 10:30 AM To: openssl-users@openssl.org Subject: RE: Entropy for OpenSSL OpenSSL will try to use random sources available for the OS, so supplying your own additional randomization is usually not required. You can call RAND_status() to determine if the library was successful getting enough random data that it decides it can start providing random numbers. It will return a 1 if it was, or a 0 if more random data is needed. That being said, the randomization algorithm used by OpenSSL is designed so that the randomness of the numbers returned will not be reduced by submitting additional random or pseudo-random data using the RAND_add() call. I always make it a habit to write my code so it saves a file of random data when OpenSSL is closed, and loads that same random data file the next time it is opened. (See the functions RAND_write_file() and RAND_load_file().) That way I know that OpenSSL will start in a well-randomized state, and any additional randomization initialization done by the library can only make things better. If you have access to other information that is pseudo-random, such as network packets, it might not be a bad idea to call RAND_add() on that data as well. RAND_screen() is specific to Windows, and uses a snapshot of the desktop to use as random data. It won't hurt to call this if you can, but is not particularly effective. There are also some situations, such as calling OpenSSL from a Windows service, where the desktop is static or not available. That is why OpenSSL no longer relies on it. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
