Hello, I'm interested in having 'openssl' version 1.0.1e make use, by default, of hardware generated true random numbers for creating session keys.
So far I've configured a STElectronics ST33 TPM as the majority source of /dev/random entropy by configuring and starting the 'rngd' daemon from 'rng-tools'. This works well, and running rngtest -t10 </dev/random shows 40Kbit/sec of continuous good quality random data. Next I did this: cd /dev mv urandom urandom.hold mknod urandom c 1 8 Which causes /dev/urandom to make use of the /dev/random driver in the kernel. The above sort-of works. Some of the new 'openssl' connections to servers on this system succeed. However most return "cannot renegotiate" error. My guess is that 'openssl' is either not obtaining enough random bytes on the first try from /dev/random or is issuing a non-blocking read() and is told to try-again due to transient shortages of entropy. Can anyone suggest a way forward here? Having a decent source of true random numbers I would like to rely on that instead of pseudo random numbers for session keys and (of course) new long-term keys. I find it acceptable that brief delays in session establishment may occur. Thank You ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
