Dmitry Belyavsky <beldmit@xxxxxxxxx> wrote >> /etc/ssl/openssl.cnf > > Yes, or any custom. > But the engine must provide the RAND_METHOD and set it as default. > > But if my TPM2 engine fails to load, then OpenSSL will just use the 'rdrand' engine. So my defense agains this is to rebuild OpenSSL with the flag OPENSSL_NO_RDRAND. After I rebuild OpenSSL, I can then remove my TPM2 engine so that there's no engine at all. I tried running OpenSSL at my commandline just now, and here's what I got: ~# openssl OpenSSL> engine (dynamic) Dynamic engine loading support OpenSSL> rand -hex 10 f49ca711e3056cf9064a OpenSSL> Where is it it getting that random data from ? ? ? There's no engine and yet it can still get a random number! I even tried deleting /dev/random and /dev/urandom, but it somehow is still getting random data from somewhere! But where?
