[openssl-users] Doubt about OpenSSL library initialization in an HTTP client application

[silvioprog]

Thanks for replying!

I found two libraries at application's directory: libeay32.dll and
ssleay32.dll, both with file version 0.9.8.14 and product version 0.9.8n.

I totally agree about properly initializing the random number generator,
however I don't know how to do that yet. That code I'm using is a third
party Pascal binding for the OpenSSL C library, and I've noticed that many
other packages was based on that implementation too (eg:
https://github.com/graemeg/freepascal/blob/master/packages/openssl/src/openssl.pas#L4442
- it seems based on an old LibOpenSsl version).

The application I'm fixing uses the same file this link above, and I can
edit it without problems. I removed the line RAND_screen and now the
application initializes fast, but I'm not sure if it will turn my
application vulnerable.

If I get to solve it I will try some patch sharing it to the authors of
these bindings.

On Sat, Dec 3, 2016 at 2:34 PM, Salz, Rich <rsalz at akamai.com> wrote:

> What version of openssl are you using?  Current versions do not call
> RAND_screen or other long-term heap-walking on Windows.
>
>
>
> You absolutely **must** properly initialize the random number generator.
> If you fail to do that, attackers can guess the keys that you use.  You
> will be providing only the illusion of security.
>
>
>
> Please pass this along to that other app.  What it, and you, are doing is
> horrible.
>
>
>
> --
>
> Senior Architect, Akamai Technologies
>
> Member, OpenSSL Dev Team
>
> IM: richsalz at jabber.at Twitter: RichSalz
>

-- 
Silvio Clécio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20161204/11109dff/attachment.html>