Thanks for replying! I found two libraries at application's directory: libeay32.dll and ssleay32.dll, both with file version 0.9.8.14 and product version 0.9.8n.
I totally agree about properly initializing the random number generator, however I don't know how to do that yet. That code I'm using is a third party Pascal binding for the OpenSSL C library, and I've noticed that many other packages was based on that implementation too (eg: https://github.com/graemeg/freepascal/blob/master/packages/openssl/src/openssl.pas#L4442 - it seems based on an old LibOpenSsl version). The application I'm fixing uses the same file this link above, and I can edit it without problems. I removed the line RAND_screen and now the application initializes fast, but I'm not sure if it will turn my application vulnerable. If I get to solve it I will try some patch sharing it to the authors of these bindings. On Sat, Dec 3, 2016 at 2:34 PM, Salz, Rich <rs...@akamai.com> wrote: > What version of openssl are you using? Current versions do not call > RAND_screen or other long-term heap-walking on Windows. > > > > You absolutely **must** properly initialize the random number generator. > If you fail to do that, attackers can guess the keys that you use. You > will be providing only the illusion of security. > > > > Please pass this along to that other app. What it, and you, are doing is > horrible. > > > > -- > > Senior Architect, Akamai Technologies > > Member, OpenSSL Dev Team > > IM: richs...@jabber.at Twitter: RichSalz > -- Silvio Clécio
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users