Automatically generated configuration files
Florian Weimer
fweimer at redhat.com
Thu Apr 24 18:17:02 UTC 2014
On 04/24/2014 05:39 PM, Paul Wouters wrote:
> On Thu, 24 Apr 2014, Florian Weimer wrote:
>
>> I don't think "openssl genrsa 2048" has this issue on today's
>> machines. (I know I saw it with GNUTLS.)
>
> I was sceptical, so I tried this on a freshly booted VM:
>
> root at bofh:~# virsh start north
> Domain north started
> root at bofh:~# ssh root at north
> Last login: Wed Apr 23 11:54:46 2014
> [root at north ~]# time openssl genrsa 2048
> [...]
> real 0m0.382s
> user 0m0.267s
> sys 0m0.003s
>
> Call me very surprised! We finally have real entropy in VMs now. Good news!
I'm afraid your conclusion does not follow from the facts. "openssl
genrsa" simply does not ensure that actual physical entropy is
available. I'll make this quite explicit in my advice.
Most of the "openssl" subcommands are tools for testing and debugging
OpenSSL itself, and should not be used for other purposes.
--
Florian Weimer / Red Hat Product Security Team
More information about the devel
mailing list