cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Flag to bail out if not enough entropy?

From: Florian Weimer <fw_at_deneb.enyo.de>
Date: Tue, 27 Sep 2016 20:03:35 +0200

* bch:

> Being devil's advocate, I think the level of responsibility, detail, cost
> of errors for getting into random-management and cryptography may be so
> high that it really should be left to alternative software libcurl consumes
> (e.g. openssl), and should simply bail when it detects anomalies.

The problem here is that for historic reasons, OpenSSL provides plenty
of hooks so that you could use it securely on entropy-less systems.

libcurl tries to abstract from that, instead of requiring that
applications initialize OpenSSL as required, or use a
platform-provided OpenSSL implementation which has all this built in.

At least we have this built-in entropy sources in OpenSSL on most
platforms nowadays. Locking is still application-provided and perhaps
even more critical.
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-09-27

This message: [ Message body ]
Next message: bch: "Re: Flag to bail out if not enough entropy?"
Previous message: bch: "Re: Flag to bail out if not enough entropy?"
In reply to: bch: "Re: Flag to bail out if not enough entropy?"
Next in thread: bch: "Re: Flag to bail out if not enough entropy?"
Reply: bch: "Re: Flag to bail out if not enough entropy?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]