sect-Defensive_Coding-TLS-OpenSSL: Mention "openssl genrsa" entropy issue

This commit is contained in:
Florian Weimer 2014-04-25 13:47:22 +02:00
parent eff2f5c71f
commit 564ffc8014

View file

@ -185,6 +185,15 @@
For instance, a verification failure in <command>openssl
verify</command> result in an exit status of zero.
</para>
<para>
OpenSSL command-line commands, such as <command>openssl
genrsa</command>, do not ensure that physical entropy is used
for key generation—they obtain entropy from
<filename>/dev/urandom</filename> and other sources, but not
from <filename>/dev/random</filename>. Keys generated by
these tools should not be used in high-value, critical
functions.
</para>
<para>
The OpenSSL server and client applications (<command>openssl
s_client</command> and <command>openssl s_server</command>)