sect-Defensive_Coding-TLS-OpenSSL: Mention "openssl genrsa" entropy issue

defensive-coding/en-US/Features-TLS.xml

@@ -185,6 +185,15 @@
 	For instance, a verification failure in <command>openssl
 	verify</command> result in an exit status of zero.
       </para>
+      <para>
+	OpenSSL command-line commands, such as <command>openssl
+	genrsa</command>, do not ensure that physical entropy is used
+	for key generation—they obtain entropy from
+	<filename>/dev/urandom</filename> and other sources, but not
+	from <filename>/dev/random</filename>.  Keys generated by
+	these tools should not be used in high-value, critical
+	functions.
+      </para>
       <para>
 	The OpenSSL server and client applications (<command>openssl
 	s_client</command> and <command>openssl s_server</command>)