[openssl-dev] Do you use EGD or PRNGD?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[openssl-dev] Do you use EGD or PRNGD?

Salz, Rich

We are thinking of removing support for EGD (entropy-gathering daemon) in the next release.  None of our supported platforms have needed it for some time.  If this will cause an issue for you, please reply soon.

 

-- 

Senior Architect, Akamai Technologies

IM: [hidden email] Twitter: RichSalz

 


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] Do you use EGD or PRNGD?

Tim Rice
On Mon, 1 Jun 2015, Salz, Rich wrote:

> We are thinking of removing support for EGD (entropy-gathering daemon)
> in the next release.  None of our supported platforms have needed it for
> some time.  If this will cause an issue for you, please reply soon.

There is one currently shipping system I am aware of that does
need PRNGD. OpenServer 5 from XinuOS.

> --
> Senior Architect, Akamai Technologies
> IM: [hidden email] Twitter: RichSalz
>

--
Tim Rice Multitalents
[hidden email]


_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] Do you use EGD or PRNGD?

Salz, Rich
> There is one currently shipping system I am aware of that does need PRNGD.
> OpenServer 5 from XinuOS.

Which isn't a supported system...

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] Do you use EGD or PRNGD?

Randall S. Becker
In reply to this post by Salz, Rich
On June 1, 2015 10:03 AM Rich Salz wrote:
> We are thinking of removing support for EGD (entropy-gathering daemon) in
the next release.
> None of our supported platforms have needed it for some time.  If this
will cause
> an issue for you, please reply soon.

While HP NonStop is not officially supported, I have been helping to
maintain a fork for the platform since December and are current through
1.0.2a. We do use prngd. I am looking for ways to get back on the official
platform list, looking for alternatives to prngd for that platform, and
trying get vendor by-in in this area.

_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] Do you use EGD or PRNGD?

Salz, Rich
> While HP NonStop is not officially supported, I have been helping to maintain
> a fork for the platform since December and are current through 1.0.2a. We
> do use prngd. I am looking for ways to get back on the official platform list,
> looking for alternatives to prngd for that platform, and trying get vendor by-
> in in this area.

Thanks for the info.

One possibility is to have a separate program use prngd and write it to a RANDFILE that openssl uses.  Probably servers are the most important users, and you could/should have one file per server ...
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] [openssl-users] Do you use EGD or PRNGD?

Salz, Rich
In reply to this post by Salz, Rich
> I had to install an entropy gather on Debian desktop because reads to
> /dev/random would fail on occasion when the device was opened
> O_NONBLOCK. I was not hitting it hard - I was just trying to grab a 32 byte
> one-time seed to seed an in-app generator. It was really surprising to see
> Debian's RNG could only supply 7 bytes or so. I was amazed it happened out
> of the box in 2014.

I agree, that's pretty amazing.

Why is there no need?

It's hard to get random seeding done right.  The fewer moving parts, the easier it is to understand what's going on, and prove to yourself (or others) that it is correct.

As a workaround, periodically writing EGD data into a file that the application uses...
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-dev] Do you use EGD or PRNGD?

Richard Levitte - VMS Whacker
In reply to this post by Salz, Rich
In message <[hidden email]> on Mon, 1 Jun 2015 18:33:01 +0000, "Salz, Rich" <[hidden email]> said:

rsalz> > While HP NonStop is not officially supported, I have been helping to maintain
rsalz> > a fork for the platform since December and are current through 1.0.2a. We
rsalz> > do use prngd. I am looking for ways to get back on the official platform list,
rsalz> > looking for alternatives to prngd for that platform, and trying get vendor by-
rsalz> > in in this area.
rsalz>
rsalz> Thanks for the info.
rsalz>
rsalz> One possibility is to have a separate program use prngd and write it to a RANDFILE that openssl uses.  Probably servers are the most important users, and you could/should have one file per server ...

I'd like to remind people of the possibility to make an engine module.

Cheers,
Richard

--
Richard Levitte                         [hidden email]
                                        http://richard.levitte.org/

"Life is a tremendous celebration - and I'm invited!"
-- from a friend's blog, translated from Swedish
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev