Repository :
http://git.fedorahosted.org/git/?p=secure-coding.git
On branch : master
---------------------------------------------------------------
commit 564ffc80149307d0a99724e2689ed3a8816513bf
Author: Florian Weimer <fweimer(a)redhat.com>
Date: Fri Apr 25 13:47:22 2014 +0200
sect-Defensive_Coding-TLS-OpenSSL: Mention "openssl genrsa" entropy issue
---------------------------------------------------------------
defensive-coding/en-US/Features-TLS.xml | 9 +++++++++
1 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/defensive-coding/en-US/Features-TLS.xml
b/defensive-coding/en-US/Features-TLS.xml
index 936910d..f4da007 100644
--- a/defensive-coding/en-US/Features-TLS.xml
+++ b/defensive-coding/en-US/Features-TLS.xml
@@ -186,6 +186,15 @@
verify</command> result in an exit status of zero.
</para>
<para>
+ OpenSSL command-line commands, such as <command>openssl
+ genrsa</command>, do not ensure that physical entropy is used
+ for key generation—they obtain entropy from
+ <filename>/dev/urandom</filename> and other sources, but not
+ from <filename>/dev/random</filename>. Keys generated by
+ these tools should not be used in high-value, critical
+ functions.
+ </para>
+ <para>
The OpenSSL server and client applications (<command>openssl
s_client</command> and <command>openssl s_server</command>)
are debugging tools and should <emphasis>never</emphasis> be