OpenSSL-3.+ how to configure [random]?

Blumenthal, Uri - 0553 - MITLL uri at
Wed Nov 10 02:35:39 UTC 2021

"man config" for OpenSSL-3.0 and newer says that there can be "[random]" section in "openssl.cnf", where I can specify type of RNG, other things, and *seed*, and seed *properties*.

Unfortunately, it did not bother to even list the possible/allowed values, let alone explain what they'd mean:

   Random Configuration
       The name random in the initialization section names the section containing the random number
       generater settings.

       Within the random section, the following names have meaning:

           This is used to specify the random bit generator.  For example:

            random = CTR-DRBG

           The available random bit generators are:

.  .  .  .  .
           This sets the property query used when fetching the random bit generator and any
           underlying algorithms.

           This sets the randomness source that should be used.  By default SEED-SRC will be used
           outside of the FIPS provider.  The FIPS provider uses call backs to access the same
           randomness sources from outside the validated boundary.

           This sets the property query used when fetching the randomness source.

I want to configure this [random] to use CTR-DRBG, using RDRAND as "seed". Based on "openssl list -seeds", I guess "seed = rdrand" should be OK. What properties can I set, if any? How does this "[random]" relate to the RDRAND *engine* (see below)?

$ openssl3 engine rdrand -t
(rdrand) Intel RDRAND engine
     [ available ]

Uri Blumenthal                              Voice: (781) 981-1638 
Secure Resilient Systems and Technologies   Cell:  (339) 223-5363
MIT Lincoln Laboratory                      
244 Wood Street, Lexington, MA  02420-9108      
Root CA:
There are two ways to design a system. One is to make is so simple there are obviously no deficiencies.
The other is to make it so complex there are no obvious deficiencies.
                                                                                                                                     -  C. A. R. Hoare
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5249 bytes
Desc: not available
URL: <>

More information about the openssl-users mailing list