[Secure Coding] master: TLS: More balanced advice on "openssl genrsa" and /dev/urandom (7f640d9)
fweimer at fedoraproject.org
fweimer at fedoraproject.org
Mon Apr 28 13:41:32 UTC 2014
Repository : http://git.fedorahosted.org/git/?p=secure-coding.git
On branch : master
>---------------------------------------------------------------
commit 7f640d95375def0979c9f6a12c02cd414fe1eb7e
Author: Florian Weimer <fweimer at redhat.com>
Date: Mon Apr 28 15:41:05 2014 +0200
TLS: More balanced advice on "openssl genrsa" and /dev/urandom
>---------------------------------------------------------------
defensive-coding/en-US/Features-TLS.xml | 8 +++++---
1 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/defensive-coding/en-US/Features-TLS.xml b/defensive-coding/en-US/Features-TLS.xml
index f4da007..5d9e39d 100644
--- a/defensive-coding/en-US/Features-TLS.xml
+++ b/defensive-coding/en-US/Features-TLS.xml
@@ -190,9 +190,11 @@
genrsa</command>, do not ensure that physical entropy is used
for key generation—they obtain entropy from
<filename>/dev/urandom</filename> and other sources, but not
- from <filename>/dev/random</filename>. Keys generated by
- these tools should not be used in high-value, critical
- functions.
+ from <filename>/dev/random</filename>. This can result in
+ weak keys if the system lacks a proper entropy source (e.g., a
+ virtual machine with solid state storage). Depending on local
+ policies, keys generated by these OpenSSL tools should not be
+ used in high-value, critical functions.
</para>
<para>
The OpenSSL server and client applications (<command>openssl
More information about the security
mailing list