Remove All Software Generators
Dmitry Belyavsky
beldmit at gmail.com
Wed Oct 30 15:28:32 UTC 2019
On Wed, Oct 30, 2019 at 6:20 PM Frederick Gotham <cauldwell.thomas at gmail.com>
wrote:
> Dmitry Belyavsky <beldmit at gmail.com> wrote
>
> >> /etc/ssl/openssl.cnf
> >
> > Yes, or any custom.
> > But the engine must provide the RAND_METHOD and set it as default.
> >
> >
>
>
>
> But if my TPM2 engine fails to load, then OpenSSL will just use the
> 'rdrand' engine.
>
> So my defense agains this is to rebuild OpenSSL with the flag
> OPENSSL_NO_RDRAND.
>
It means that you've disabled the RDRAND engine.
> After I rebuild OpenSSL, I can then remove my TPM2 engine so that there's
> no engine at all.
>
> I tried running OpenSSL at my commandline just now, and here's what I got:
>
> ~# openssl
> OpenSSL> engine
> (dynamic) Dynamic engine loading support
> OpenSSL> rand -hex 10
> f49ca711e3056cf9064a
> OpenSSL>
>
>
> Where is it it getting that random data from ? ? ? There's no engine and
> yet it can still get a random number! I even tried deleting /dev/random
> and
> /dev/urandom, but it somehow is still getting random data from somewhere!
> But where?
>
>
>
> You still have the OpenSSL built-in RNG.
--
SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20191030/626c386a/attachment.html>
More information about the openssl-users
mailing list