STINNER Victor added the comment: openssl_prng_atfork3.patch: Why not using seconds (only micro or nanoseconds) in the seed? Add a few more bits should not reduce the entropy. OpenSSL does hash all these bytes anyway.
+#if 1 + fprintf(stderr, "PySSL_RAND_atfork_child() seeds %i bytes in %i\n", + (int)sizeof(seed), seed.pid); +#endif This should be removed from the final patch ;-) The patch is specific to pthread. Do we need something similar on Windows. Windows has no fork, but I don't know if OpenSSL CPRNG state can be inherited somehow? Does Python support other platforms (other than pthread or Windows)? Instead of using pthread_atfork(), we can add an hook in the Python binding of OpenSSL checking the pid. I don't know which functions should be modified. ssl.RAND_bytes() is probably not enough :-) ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue18747> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
