Remove All Software Generators
Frederick Gotham
cauldwell.thomas at gmail.com
Wed Oct 30 15:19:43 UTC 2019
Dmitry Belyavsky <beldmit at gmail.com> wrote
>> /etc/ssl/openssl.cnf
>
> Yes, or any custom.
> But the engine must provide the RAND_METHOD and set it as default.
>
>
But if my TPM2 engine fails to load, then OpenSSL will just use the
'rdrand' engine.
So my defense agains this is to rebuild OpenSSL with the flag
OPENSSL_NO_RDRAND.
After I rebuild OpenSSL, I can then remove my TPM2 engine so that there's
no engine at all.
I tried running OpenSSL at my commandline just now, and here's what I got:
~# openssl
OpenSSL> engine
(dynamic) Dynamic engine loading support
OpenSSL> rand -hex 10
f49ca711e3056cf9064a
OpenSSL>
Where is it it getting that random data from ? ? ? There's no engine and
yet it can still get a random number! I even tried deleting /dev/random and
/dev/urandom, but it somehow is still getting random data from somewhere!
But where?
More information about the openssl-users
mailing list