On Thu, Dec 23, 2010 at 01:02:51AM -0500, micah wrote:
> Obviously it is well understood that the security of cryptographic
> software, such as TLS, depends on good random numbers. Postfix's
> tlsmgr(8) maintains a PRNG pool, which is fed from an external source,
> configured via tls_random_source, typically /dev/urandom (default on
> Linux systems). Presumably, the tlsmgr's PRNG takes the data from the
> tls_random_source and mixes it around in its own pool.
Yes.
> The TLS_README[0] talks about the possibility of specifying EGD as a
> random source, but I'm not sure why you would specify EGD directly as a
> random source because EGD keeps the kernel pool topped off.
Some older supported systems don't have a /dev/urandom. The world is not
all Linux.
> So why would you change the tls_random_source to use EGD instead of
> /dev/urandom?
You wouldn't, if you have a /dev/urandom, use it.
--
Viktor.
