<div dir="ltr">Finally I think I solved this problem! :-)<div><br></div><div>This is the patch I'm going to send to the `ssl_openssl_lib` authors: <a href="http://pastebin.com/VgSpnwxB">http://pastebin.com/VgSpnwxB</a> .</div><div><br></div><div>In short, I just removed the RAND_screen() call, generated a random buffer using RAND_bytes() (based on <a href="https://wiki.openssl.org/index.php/Random_Numbers#Software">https://wiki.openssl.org/index.php/Random_Numbers#Software</a>) seeding via RAND_add().</div><div><br></div><div>Thanks a lot for the help, dudes! :-)</div><div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Dec 4, 2016 at 12:01 AM, silvioprog <span dir="ltr"><<a href="mailto:silvioprog@gmail.com" target="_blank">silvioprog@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div style="font-size:12.8px">Thanks for sharing the links, I'm going to check them.</div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">The original code call <span style="font-size:12.8px">RAND_screen() only once in the app initialization, so can I replace it by </span><span style="font-size:12.8px">RAND_add()? (I'm newbie on SSL)</span></div><div style="font-size:12.8px"><span style="font-size:12.8px"><br></span></div><div style="font-size:12.8px"><span style="font-size:12.8px">I've noticed the application is just a HTTP client consuming some web services via HTTPS. It doesn't call explicitly any OpenSSL random function, so I think it uses the default OpenSSL configurations.</span></div><div style="font-size:12.8px"><span style="font-size:12.8px"><br></span></div><div class="gmail_quote">On Sat, Dec 3, 2016 at 3:42 PM, Jeffrey Walton <span dir="ltr"><<a href="mailto:noloader@gmail.com" target="_blank">noloader@gmail.com</a>></span> wrote:</div><div class="gmail_quote">[...]<span class="gmail-"><br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Also see <a href="https://wiki.openssl.org/index.php/Library_Initialization" rel="noreferrer" target="_blank">https://wiki.openssl.org/index<wbr>.php/Library_Initialization</a> and<br>
<a href="https://wiki.openssl.org/index.php/Random_Numbers#Windows_Issues" rel="noreferrer" target="_blank">https://wiki.openssl.org/index<wbr>.php/Random_Numbers#Windows_<wbr>Issues</a>.<br>
<br>
The short of it is, you should stop relying on auto-initialization of<br>
the RNG, and seed it yourself with a call to `RAND_add`.<br>
<br>
Jeff</blockquote></span></div></div></div></blockquote></div><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div>Silvio Clécio</div></div></div>
</div></div></div>