Automatically generated configuration files

Florian Weimer fweimer at
Thu Apr 24 18:17:02 UTC 2014

On 04/24/2014 05:39 PM, Paul Wouters wrote:
> On Thu, 24 Apr 2014, Florian Weimer wrote:
>> I don't think "openssl genrsa 2048" has this issue on today's
>> machines.  (I know I saw it with GNUTLS.)
> I was sceptical, so I tried this on a freshly booted VM:
> root at bofh:~# virsh start north
> Domain north started
> root at bofh:~# ssh root at north
> Last login: Wed Apr 23 11:54:46 2014
> [root at north ~]# time openssl genrsa 2048
> [...]
> real    0m0.382s
> user    0m0.267s
> sys    0m0.003s
> Call me very surprised! We finally have real entropy in VMs now. Good news!

I'm afraid your conclusion does not follow from the facts.  "openssl 
genrsa" simply does not ensure that actual physical entropy is 
available.  I'll make this quite explicit in my advice.

Most of the "openssl" subcommands are tools for testing and debugging 
OpenSSL itself, and should not be used for other purposes.

Florian Weimer / Red Hat Product Security Team

More information about the devel mailing list