[openssl-users] Do you use EGD or PRNGD?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[openssl-users] Do you use EGD or PRNGD?

Salz, Rich

We are thinking of removing support for EGD (entropy-gathering daemon) in the next release.  None of our supported platforms have needed it for some time.  If this will cause an issue for you, please reply soon.

 

-- 

Senior Architect, Akamai Technologies

IM: [hidden email] Twitter: RichSalz

 


_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] [openssl-dev] Do you use EGD or PRNGD?

Jeffrey Walton-3
On Mon, Jun 1, 2015 at 10:03 AM, Salz, Rich <[hidden email]> wrote:
> We are thinking of removing support for EGD (entropy-gathering daemon) in
> the next release.  None of our supported platforms have needed it for some
> time.  If this will cause an issue for you, please reply soon.
>
Rich... At the cost of being argumentative, why is there no need for it?

I had to install an entropy gather on Debian desktop because reads to
/dev/random would fail on occasion when the device was opened
O_NONBLOCK. I was not hitting it hard - I was just trying to grab a 32
byte one-time seed to seed an in-app generator. It was really
surprising to see Debian's RNG could only supply 7 bytes or so. I was
amazed it happened out of the box in 2014.

After that, I switched to alternate methods to grab any entropy I
could get my hands on, including things like EGD, HAVEGED and even
sensor readings on mobile devices (if they are available).

Jeff
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] Do you use EGD or PRNGD?

Jakob Bohm-7
In reply to this post by Salz, Rich
On 01/06/2015 16:03, Salz, Rich wrote:

We are thinking of removing support for EGD (entropy-gathering daemon) in the next release.  None of our supported platforms have needed it for some time.  If this will cause an issue for you, please reply soon.


While the original EGD is needed only on platforms with
no platform-provided equivalent (such as /dev/*random or
Microsoft CryptGenRandom()), it should be noted that a
networked variant of the EGD protocol has been used by
at least one hardware RNG vendor, though I am unsure if
the builtin EGD code in OpenSSL could ever talk directly
to that variant anyway.


Two other platforms I can think of as potentially affected
are Solaris 2.4+ without the /dev/random patch and CE
installations without MS CryptoAPI (this is the default
for some CE 2.11 targets, and an option for any vendor
configured CE installation of any version, including the
latest ones, though that latter option might be as rare
as building the Linux kernel without /dev/*random).

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded 

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] [openssl-dev] Do you use EGD or PRNGD?

Salz, Rich
In reply to this post by Salz, Rich
> While HP NonStop is not officially supported, I have been helping to maintain
> a fork for the platform since December and are current through 1.0.2a. We
> do use prngd. I am looking for ways to get back on the official platform list,
> looking for alternatives to prngd for that platform, and trying get vendor by-
> in in this area.

Thanks for the info.

One possibility is to have a separate program use prngd and write it to a RANDFILE that openssl uses.  Probably servers are the most important users, and you could/should have one file per server ...
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] Do you use EGD or PRNGD?

Salz, Rich
In reply to this post by Jakob Bohm-7
Thanks for the info!

> it should be noted that a  networked variant of the EGD protocol has been used by at least one hardware RNG vendor, though I am unsure if the builtin EGD code in OpenSSL could ever talk directly to that variant anyway.

I don't think so, since all the code does is open a unix-domain socket.

> Two other platforms I can think of as potentially affected are Solaris 2.4+ without the /dev/random patch

Yeah, my inclination is to say "get the patch."

> and CE installations without MS CryptoAPI

The EGD code doesn't work on Windows; we use heap-walk to seed it there.

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: [openssl-users] [openssl-dev] Do you use EGD or PRNGD?

Richard Levitte - VMS Whacker
In reply to this post by Salz, Rich
In message <[hidden email]> on Mon, 1 Jun 2015 18:33:01 +0000, "Salz, Rich" <[hidden email]> said:

rsalz> > While HP NonStop is not officially supported, I have been helping to maintain
rsalz> > a fork for the platform since December and are current through 1.0.2a. We
rsalz> > do use prngd. I am looking for ways to get back on the official platform list,
rsalz> > looking for alternatives to prngd for that platform, and trying get vendor by-
rsalz> > in in this area.
rsalz>
rsalz> Thanks for the info.
rsalz>
rsalz> One possibility is to have a separate program use prngd and write it to a RANDFILE that openssl uses.  Probably servers are the most important users, and you could/should have one file per server ...

I'd like to remind people of the possibility to make an engine module.

Cheers,
Richard

--
Richard Levitte                         [hidden email]
                                        http://richard.levitte.org/

"Life is a tremendous celebration - and I'm invited!"
-- from a friend's blog, translated from Swedish
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users