> Either that or just always use the per-thread DRBG for the current
thread, and don't bother to do per-SSL at all.
There is appeal to isolating each SSL connection so that an adversary can't use information it has about *it's* connection to attack another. Granted, this might not be practical, but still...