Message213769
Some versions of OpenSSL use the RDRAND engine by default. The versions include openssl-1.0.1-beta1 through openssl-1.0.1f.
RDRAND has taken some criticism because its essentially unaudited and it could be spiked like the Dual-EC generator (http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html).
If the RDRAND engine is in effect, then the application and the library (internally) will be using the generator. But some some folks don't want to use an unaudited generator.
I'm not sure what the best action is to take. For reading on ways to disable the RDRAND engine, see http://seclists.org/fulldisclosure/2013/Dec/142. |
|
Date |
User |
Action |
Args |
2014-03-16 22:43:43 | Jeffrey.Walton | set | recipients:
+ Jeffrey.Walton |
2014-03-16 22:43:43 | Jeffrey.Walton | set | messageid: <1395009823.06.0.12513934029.issue20952@psf.upfronthosting.co.za> |
2014-03-16 22:43:43 | Jeffrey.Walton | link | issue20952 messages |
2014-03-16 22:43:42 | Jeffrey.Walton | create | |
|