On Mon, May 04, 2020 at 05:23:23PM +0200, Ruediger Pluem wrote: > On 5/4/20 3:49 PM, Joe Orton wrote: > > d) SSLRandomSeed. This might have made sense in 1998 but at least with > > OpenSSL 1.1.1 which has a rewritten and fork-safe RAND, I think httpd > > should not be doing RAND seeding ever. Currently mod_ssl will splat > > random stack data, time() and the pid into the RNG state for each new > > connection. Unless someone can prove this is valuable and the OpenSSL > > PRNG is somehow broken OOTB, I think this code + directive should be > > dropped for OpenSSL 1.1.1+, including EGD support etc. > > Do we drop it only for OpenSSL 1.1.1 or are there other older versions of > OpenSSL where this is save to drop?
>From https://wiki.openssl.org/index.php/Random_fork-safety it seems like there is some reason to believe the <1.1.1 RNG is not safe after fork unless you help it. I was looking at the Fedora default mod_ssl config which does have a default "SSLRandom", but the example httpd-ssl.conf shipped does not. So *maybe* configuring SSLRandomSeed is useful, but really if it is not needed by default we should do something by default, which we don't. (I feel like there should be a assumption in favour of correctness with OpenSSL and any code which assumes incorrectness should have very strong justification for its continued existence. Instead we have a tendency to carry a lot of code merely because "we've always done it like this".) > And if we drop how do we drop it? If we can only drop it for OpenSSL 1.1.1 I > would be in favour > of sending a message to the log (INFO level) that it is just ignored. This > avoids that a config working with OpenSSL < 1.1.1 > fails with OpenSSL 1.1.1 but the same Apache version. Very good idea, I'll do it like that. Thanks for the feedback! Regards, Joe