Remove All Software Generators

Frederick Gotham cauldwell.thomas at gmail.com
Wed Oct 30 15:19:43 UTC 2019


Dmitry Belyavsky <beldmit at gmail.com> wrote

>> /etc/ssl/openssl.cnf
>
> Yes, or any custom.
> But the engine must provide the RAND_METHOD and set it as default.
> 
> 



But if my TPM2 engine fails to load, then OpenSSL will just use the 
'rdrand' engine.

So my defense agains this is to rebuild OpenSSL with the flag 
OPENSSL_NO_RDRAND.

After I rebuild OpenSSL, I can then remove my TPM2 engine so that there's 
no engine at all.

I tried running OpenSSL at my commandline just now, and here's what I got:

~# openssl
OpenSSL> engine
(dynamic) Dynamic engine loading support
OpenSSL> rand -hex 10
f49ca711e3056cf9064a
OpenSSL>


Where is it it getting that random data from ? ? ? There's no engine and 
yet it can still get a random number! I even tried deleting /dev/random and 
/dev/urandom, but it somehow is still getting random data from somewhere! 
But where?





More information about the openssl-users mailing list