Repository : http://git.fedorahosted.org/git/?p=secure-coding.git On branch : master commit 547d8017443dc8f27cde63a6026bf8b0d2ff2770 Merge: e9907e4 c0c8caa Author: Eric Christensen <echriste(a)redhat.com&gt; Date: Thu May 29 11:53:43 2014 -0400 Merge branch 'master' of git+ssh://git.fedorahosted.org/git/secure-coding Securing_TLS/en-US/mod_ssl.xml | 15 ++++++++++++--- 1 files changed, 12 insertions(+), 3 deletions(-) diff --git a/Securing_TLS/en-US/mod_ssl.xml b/Securing_TLS/en-US/mod_ssl.xml index 3441d0a..365b0bb 100644 --- a/Securing_TLS/en-US/mod_ssl.xml +++ b/Securing_TLS/en-US/mod_ssl.xml @@ -22,7 +22,8 @@ Listen 443 https </screen> This specifies the port that httpd should listen to for SSL/TLS traffic. Port 443 is the standard port for https. - +</para> +<para> <screen> # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the @@ -39,10 +40,18 @@ SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 +#SSLRandomSeed connect exec:/usr/local/bin/rand 16 </screen> -The random number generator is very important for cryptology and this is where those settings get established. By default the pseudo-random number generator is defined here although if you have another source of random data you can put that here. - +The random number generator is very important for cryptology and this is where those settings get established. By default the pseudo-random number generator is configured here although if you have another source of random data you can specify it here. +</para> +<para> +For Linux systems, the quality of entropy provided by <literal>/dev/urandom</literal> is very high so we recommend its use for both <literal>startup</literal> and <literal>connect</literal>. The number of bytes read should be left at 256 for <literal>startup</literal> as it has minimal impact on performance, and set to 32 for the <literal>connect</literal> use (256 bits). This provides enough entropy for both internal operation and for ServerRandom value in TLS (which is limited to 256 bits). +</para> +<para> +In cases where the system on which <literal>mod_ssl</literal> is running is slow and doesn't have a hardware random number generator, we highly recommend to set the values to the ones quoted in the above example. +</para> +<para> <screen> # Use "SSLCryptoDevice" to enable any supported hardware # accelerators. Use "openssl engine -v" to list supported