On Wed, Oct 30, 2019 at 6:20 PM Frederick Gotham <cauldwell.tho...@gmail.com> wrote:
> Dmitry Belyavsky <beld...@gmail.com> wrote > > >> /etc/ssl/openssl.cnf > > > > Yes, or any custom. > > But the engine must provide the RAND_METHOD and set it as default. > > > > > > > > But if my TPM2 engine fails to load, then OpenSSL will just use the > 'rdrand' engine. > > So my defense agains this is to rebuild OpenSSL with the flag > OPENSSL_NO_RDRAND. > It means that you've disabled the RDRAND engine. > After I rebuild OpenSSL, I can then remove my TPM2 engine so that there's > no engine at all. > > I tried running OpenSSL at my commandline just now, and here's what I got: > > ~# openssl > OpenSSL> engine > (dynamic) Dynamic engine loading support > OpenSSL> rand -hex 10 > f49ca711e3056cf9064a > OpenSSL> > > > Where is it it getting that random data from ? ? ? There's no engine and > yet it can still get a random number! I even tried deleting /dev/random > and > /dev/urandom, but it somehow is still getting random data from somewhere! > But where? > > > > You still have the OpenSSL built-in RNG. -- SY, Dmitry Belyavsky