Remove All Software Generators

Frederick Gotham cauldwell.thomas at
Wed Oct 30 15:19:43 UTC 2019

Dmitry Belyavsky <beldmit at> wrote

>> /etc/ssl/openssl.cnf
> Yes, or any custom.
> But the engine must provide the RAND_METHOD and set it as default.

But if my TPM2 engine fails to load, then OpenSSL will just use the 
'rdrand' engine.

So my defense agains this is to rebuild OpenSSL with the flag 

After I rebuild OpenSSL, I can then remove my TPM2 engine so that there's 
no engine at all.

I tried running OpenSSL at my commandline just now, and here's what I got:

~# openssl
OpenSSL> engine
(dynamic) Dynamic engine loading support
OpenSSL> rand -hex 10

Where is it it getting that random data from ? ? ? There's no engine and 
yet it can still get a random number! I even tried deleting /dev/random and 
/dev/urandom, but it somehow is still getting random data from somewhere! 
But where?

More information about the openssl-users mailing list