On 04/24/2014 05:39 PM, Paul Wouters wrote:
On Thu, 24 Apr 2014, Florian Weimer wrote:
I don't think "openssl genrsa 2048" has this issue on today's
machines. (I know I saw it with GNUTLS.)
I was sceptical, so I tried this on a freshly booted VM:
root@bofh:~# virsh start north
Domain north started
root@bofh:~# ssh root@north
Last login: Wed Apr 23 11:54:46 2014
[root@north ~]# time openssl genrsa 2048
[...]
real 0m0.382s
user 0m0.267s
sys 0m0.003s
Call me very surprised! We finally have real entropy in VMs now. Good news!
I'm afraid your conclusion does not follow from the facts. "openssl
genrsa" simply does not ensure that actual physical entropy is
available. I'll make this quite explicit in my advice.
Most of the "openssl" subcommands are tools for testing and debugging
OpenSSL itself, and should not be used for other purposes.
--
Florian Weimer / Red Hat Product Security Team
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
