| From: | Bear Giles <bgiles(at)coyotesong(dot)com> |
|---|---|
| To: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
| Cc: | Bear Giles <bgiles(at)coyotesong(dot)com>, pgsql-patches(at)postgresql(dot)org |
| Subject: | Re: SSL (patch 5) |
| Date: | 2002-05-27 22:14:44 |
| Message-ID: | 200205272214.QAA10980@eris.coyotesong.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-patches |
> Bear Giles writes:
>
> > Patch to add initialization from entropy source, either a
> > file ($HOME/.postgresql/.rand, $DataDir/.rand) or the
> > /dev/urandom device.
>
> I seem to recall that OpenSSL handles generating appropriate randomness
> itself.
That's been an ongoing problem, and something may be done in 0.9.7.
But all of the sample implementations still show the use of explicit
initialization code, so that's why I added it.
> So far we've reject these kinds of attempts to do it ourselves.
> How does it work now?
The failure mode isn't that SSL stops, it's that it's easier for
an attacker to guess the next number that the PRNG will produce.
This can a big problem for high-volume servers.
Bear
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Neil Conway | 2002-05-27 23:10:53 | Re: COPY and default values |
| Previous Message | Christopher Kings-Lynne | 2002-05-27 22:11:38 | Re: SRF rescan testing |