On Mon, 5 Mar 2001 curl_at_thewrittenword.com wrote:

> FYI, the way curl initializes the entropy pool for OpenSSL is weak.

We can't have it that way.

> I don't have the time to add this to curl at the moment but if there's
> a TODO list, please add this. You'll need to decide whether or not to
> remove the current seed method and replace with the method above or
> simply to augment the current method with what you currently have.

I've made a first attempt now that was just committed to CVS. I intend to add
a command line option (and libcurl curl_easy_setopt() option) to be available
in the next release.

> I also think that if there is an autoconf option, --with-egd-socket, it
> should reject the current method (if not and you wish to keep the current
> method, let the user know via a warning that the seed is being generated
> via a weak method).

I intend to have a series of seeding attempts with my weak one at the last
one in the line, with a logging that it is a weak seed.

Thanks for bringing this to our attention.

-- 
  Daniel Stenberg -- curl project maintainer -- http://curl.haxx.se/