Repository :
http://git.fedorahosted.org/git/?p=secure-coding.git
On branch : master
---------------------------------------------------------------
commit 547d8017443dc8f27cde63a6026bf8b0d2ff2770
Merge: e9907e4 c0c8caa
Author: Eric Christensen <echriste(a)redhat.com>
Date: Thu May 29 11:53:43 2014 -0400
Merge branch 'master' of
git+ssh://git.fedorahosted.org/git/secure-coding
---------------------------------------------------------------
Securing_TLS/en-US/mod_ssl.xml | 15 ++++++++++++---
1 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/Securing_TLS/en-US/mod_ssl.xml b/Securing_TLS/en-US/mod_ssl.xml
index 3441d0a..365b0bb 100644
--- a/Securing_TLS/en-US/mod_ssl.xml
+++ b/Securing_TLS/en-US/mod_ssl.xml
@@ -22,7 +22,8 @@
Listen 443 https
</screen>
This specifies the port that httpd should listen to for SSL/TLS traffic. Port 443 is the
standard port for https.
-
+</para>
+<para>
<screen>
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
@@ -39,10 +40,18 @@ SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
+#SSLRandomSeed connect exec:/usr/local/bin/rand 16
</screen>
-The random number generator is very important for cryptology and this is where those
settings get established. By default the pseudo-random number generator is defined here
although if you have another source of random data you can put that here.
-
+The random number generator is very important for cryptology and this is where those
settings get established. By default the pseudo-random number generator is configured
here although if you have another source of random data you can specify it here.
+</para>
+<para>
+For Linux systems, the quality of entropy provided by
<literal>/dev/urandom</literal> is very high so we recommend its use for both
<literal>startup</literal> and <literal>connect</literal>. The
number of bytes read should be left at 256 for <literal>startup</literal> as
it has minimal impact on performance, and set to 32 for the
<literal>connect</literal> use (256 bits). This provides enough entropy for
both internal operation and for ServerRandom value in TLS (which is limited to 256 bits).
+</para>
+<para>
+In cases where the system on which <literal>mod_ssl</literal> is running is
slow and doesn't have a hardware random number generator, we highly recommend to set
the values to the ones quoted in the above example.
+</para>
+<para>
<screen>
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported