On Wed, Oct 30, 2019 at 6:20 PM Frederick Gotham <cauldwell.thomas@xxxxxxxxx> wrote:
Dmitry Belyavsky <beldmit@xxxxxxxxx> wrote
>> /etc/ssl/openssl.cnf
>
> Yes, or any custom.
> But the engine must provide the RAND_METHOD and set it as default.
>
>
But if my TPM2 engine fails to load, then OpenSSL will just use the
'rdrand' engine.
So my defense agains this is to rebuild OpenSSL with the flag
OPENSSL_NO_RDRAND.
It means that you've disabled the RDRAND engine.
After I rebuild OpenSSL, I can then remove my TPM2 engine so that there's
no engine at all.
I tried running OpenSSL at my commandline just now, and here's what I got:
~# openssl
OpenSSL> engine
(dynamic) Dynamic engine loading support
OpenSSL> rand -hex 10
f49ca711e3056cf9064a
OpenSSL>
Where is it it getting that random data from ? ? ? There's no engine and
yet it can still get a random number! I even tried deleting /dev/random and
/dev/urandom, but it somehow is still getting random data from somewhere!
But where?
You still have the OpenSSL built-in RNG.
SY, Dmitry Belyavsky
