Thanks for replying!

I found two libraries at application's directory: libeay32.dll and
ssleay32.dll, both with file version 0.9.8.14 and product version 0.9.8n.

I totally agree about properly initializing the random number generator,
however I don't know how to do that yet. That code I'm using is a third
party Pascal binding for the OpenSSL C library, and I've noticed that many
other packages was based on that implementation too (eg:
https://github.com/graemeg/freepascal/blob/master/packages/openssl/src/openssl.pas#L4442
- it seems based on an old LibOpenSsl version).

The application I'm fixing uses the same file this link above, and I can
edit it without problems. I removed the line RAND_screen and now the
application initializes fast, but I'm not sure if it will turn my
application vulnerable.

If I get to solve it I will try some patch sharing it to the authors of
these bindings.

On Sat, Dec 3, 2016 at 2:34 PM, Salz, Rich <rs...@akamai.com> wrote:

> What version of openssl are you using?  Current versions do not call
> RAND_screen or other long-term heap-walking on Windows.
>
>
>
> You absolutely **must** properly initialize the random number generator.
> If you fail to do that, attackers can guess the keys that you use.  You
> will be providing only the illusion of security.
>
>
>
> Please pass this along to that other app.  What it, and you, are doing is
> horrible.
>
>
>
> --
>
> Senior Architect, Akamai Technologies
>
> Member, OpenSSL Dev Team
>
> IM: richs...@jabber.at Twitter: RichSalz
>

-- 
Silvio Clécio
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to