[openssl-dev] Work on a new RNG for OpenSSL
Matt Caswell
matt at openssl.org
Thu Aug 17 12:33:41 UTC 2017
On 17/08/17 13:22, Salz, Rich via openssl-dev wrote:
> I understand the concern. The issue I am wrestling with is strict
> compatibility with the existing code. Does anyone really *want* the
> RNG’s to not reseed on fork? It’s hard to imagine, but maybe
> somewhere someone is. And then it’s not about just reseeding, but
> what about when (if) we add other things, like whether or not the
> secure arena gets zero’d in a child?
>
> So let me phrase it this way: does anyone object to changing the
> default so NO_ATFORK must be used to avoid the reseeding and other
> things we might add later?
It's difficult to think of what circumstances this might break existing
code? What scenario did you have in mind? Even if it does break
something obscure, I think this is a case where security-by-default
takes precedence.
Matt
More information about the openssl-dev
mailing list