[openssl-users] Doubt about OpenSSL library initialization in an HTTP client application

Salz, Rich rsalz at akamai.com
Sat Dec 3 17:34:42 UTC 2016


What version of openssl are you using?  Current versions do not call RAND_screen or other long-term heap-walking on Windows.

You absolutely *must* properly initialize the random number generator.  If you fail to do that, attackers can guess the keys that you use.  You will be providing only the illusion of security.

Please pass this along to that other app.  What it, and you, are doing is horrible.

--
Senior Architect, Akamai Technologies
Member, OpenSSL Dev Team
IM: richsalz at jabber.at Twitter: RichSalz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20161203/4118f58c/attachment.html>


More information about the openssl-users mailing list