curl-users
curl 7.6.1 and lib/ssluse.c
Date: Mon, 5 Mar 2001 15:23:13 -0600
FYI, the way curl initializes the entropy pool for OpenSSL is weak.
This is only for systems without /dev/random. For other systems
(Solaris, HP-UX, IRIX, Tru64 UNIX), EGD or PRNGD is the recommeneded
way to seed the pool. What is needed is an --egd-socket=PATH
command-line option to specify the path of the socket EGD/PRNGD is
listening on. Alternatively, RANDFILE in the environment can be set to
the path of the socket file and then use RAND_file_name to get the
pathname and RAND_egd to pass the filename along to OpenSSL. My
preference is the command-line option.
Stunnel has -E as an equivalent to --egd-socket. It also has a
hard-coded path at compile time (./configure --with-egd-socket=FILE).
I just added such a command-line option to GnuPG (the folks on the
GnuPG list complained about an environment variable overriding the
hard-coded compile time path).
I don't have the time to add this to curl at the moment but if there's
a TODO list, please add this. You'll need to decide whether or not to
remove the current seed method and replace with the method above or
simply to augment the current method with what you currently have. I
also think that if there is an autoconf option, --with-egd-socket, it
should reject the current method (if not and you wish to keep the
current method, let the user know via a warning that the seed is being
generated via a weak method).
-- albert chin (china_at_thewrittenword.com)Received on 2001-03-05