Contents
Does OpenSSL use dev random?
OpenSSL absolutely does use /dev/random when available: an excerpt from one of the answers in the FAQ: All OpenSSL versions try to use /dev/urandom by default; starting with version 0.9.
Is Dev random cryptographically secure?
The /dev/random kernel module polls the running system to gather entropy used to generate what are considered true random numbers. While this decreases the quality of the randomness over time, it is still considered a cryptographically secure PRNG.
What is Randfile?
RANDFILE is used by OpenSSL to store some amount (256 bytes) of seed data from the CSPRNG used internally across invocations. This is particularly useful on low-entropy systems (i.e., embedded devices) that make frequent SSL invocations. The file is loaded via the function RAND_load_file .
What is Openssl_random_pseudo_bytes?
Description ¶ openssl_random_pseudo_bytes(int $length , bool &$strong_result = null ): string. Generates a string of pseudo-random bytes, with the number of bytes determined by the length parameter.
How does the random number generator in OpenSSL work?
OpenSSL will attempt to seed the random number generator automatically upon instantiation by calling RAND_poll. RAND_poll seeds the random number generator using a system-specific entropy source, which is /dev/urandom on UNIX-like operating systems, and is a combination of CryptGenRandom and other sources of entropy on Windows.
Why is OpenSSL seeding from / dev / urandom?
Since reads from /dev/random may block, users will usually want to open it in nonblocking mode (or per‐ form a read with timeout), and provide some sort of user notification if the desired entropy is not immediately available. So I would guess that OpenSSL was seeding from /dev/urandom, not from getrandom ().
Why does OpenSSL not load a Rand file?
As far as I know (and I verified it using strace), openssl rand does not read or write a rand file unless you provide the -rand resp. -writerand option. Now if you explicitely tell openssl to create this rand file as root, it is your duty to change the file permissions or ownership in order to be able to load it back in again.
How to remove a randfile from openssl.cnf?
Removing (or commenting out) RANDFILE = $ENV::HOME/.rnd from /etc/ssl/openssl.cnf worked for me. Please open a new issue, don’t post a different problem to a closed issue.