Andrew, openssl is rather "mixer" than "generator" or random data. No deterministic (ok, stable) program can make something random. To make a random secret one need some input unavailable to attacker. /dev/random is "internal" enough and could be quite a good one.
regards, Vadim On Mon, 3 Dec 2001, Andrew Finnell wrote: > If openssl can generate random data and spit it out in a file then > why use a file to begin with? Can't openssl ( tool ) just generate its > random data internally and use that? I think that's a lot safer than > spitting it out to a file and prevents less problems with the random data > getting deleted/viewed. > > - Andrew > > ------------------------------------- > Andrew T. Finnell > Software Engineer > eSecurity Inc > (321) 394-2485 > > > > -----Original Message----- > > From: Marcus Redivo [mailto:[EMAIL PROTECTED]] > > Sent: Saturday, December 01, 2001 7:14 PM > > To: [EMAIL PROTECTED] > > Subject: RE: ssl-cert-HOWTO.txt for review > > > > > > Hello Fiel, > > > > Thanks for the comments. > > > > At 10:45 AM 12/1/01 -0800, Fiel Cabral wrote: > > > > >My suggestion is to include info about the RANDFILE > > >variable. I set RANDFILE=$HOME/.rnd in my environment > > >and in the configuration file (the default value: > > $ENV::HOME/.rnd). If > > >.rnd doesn't exist, I just copy a file to it (usually a > > binary file or > > >a random-looking log file). > > > > I did not mention the RANDFILE, and in fact left it out of > > the example configuration, because I was under the impression > > that if I had /dev/*random I did not need it. > > > > If this is not true, could someone please correct me? Thanks. > > > > Now, the RANDFILE candidate. Using a binary or a log is > > nowhere near random enough. Fortunately, openssl has a > > command to create a better random file: > > > > # openssl rand -out $HOME/.rnd 1024 > > > > (Don't send the output to your console unless you add the > > -base64 switch, unless you like abstract art... ;) ) > > > > BTW, I'm on the list now. > > > > Marcus Redivo > > > > The Binary Tool Foundry > > PO Box 2087 Stn Main > > Sidney BC Canada > > mailto:[EMAIL PROTECTED] > > http://www.binarytool.com > > > > > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]