[openssl-users] Doubt about OpenSSL library initialization in an HTTP client application
silvioprog at gmail.com
Sun Dec 4 03:00:25 UTC 2016
Thanks for replying!
I found two libraries at application's directory: libeay32.dll and
ssleay32.dll, both with file version 0.9.8.14 and product version 0.9.8n.
I totally agree about properly initializing the random number generator,
however I don't know how to do that yet. That code I'm using is a third
party Pascal binding for the OpenSSL C library, and I've noticed that many
other packages was based on that implementation too (eg:
- it seems based on an old LibOpenSsl version).
The application I'm fixing uses the same file this link above, and I can
edit it without problems. I removed the line RAND_screen and now the
application initializes fast, but I'm not sure if it will turn my
If I get to solve it I will try some patch sharing it to the authors of
On Sat, Dec 3, 2016 at 2:34 PM, Salz, Rich <rsalz at akamai.com> wrote:
> What version of openssl are you using? Current versions do not call
> RAND_screen or other long-term heap-walking on Windows.
> You absolutely **must** properly initialize the random number generator.
> If you fail to do that, attackers can guess the keys that you use. You
> will be providing only the illusion of security.
> Please pass this along to that other app. What it, and you, are doing is
> Senior Architect, Akamai Technologies
> Member, OpenSSL Dev Team
> IM: richsalz at jabber.at Twitter: RichSalz
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users