Repository :
http://git.fedorahosted.org/git/?p=secure-coding.git
On branch : master
---------------------------------------------------------------
commit 7f640d95375def0979c9f6a12c02cd414fe1eb7e
Author: Florian Weimer <fweimer(a)redhat.com>
Date: Mon Apr 28 15:41:05 2014 +0200
TLS: More balanced advice on "openssl genrsa" and /dev/urandom
---------------------------------------------------------------
defensive-coding/en-US/Features-TLS.xml | 8 +++++---
1 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/defensive-coding/en-US/Features-TLS.xml
b/defensive-coding/en-US/Features-TLS.xml
index f4da007..5d9e39d 100644
--- a/defensive-coding/en-US/Features-TLS.xml
+++ b/defensive-coding/en-US/Features-TLS.xml
@@ -190,9 +190,11 @@
genrsa</command>, do not ensure that physical entropy is used
for key generation—they obtain entropy from
<filename>/dev/urandom</filename> and other sources, but not
- from <filename>/dev/random</filename>. Keys generated by
- these tools should not be used in high-value, critical
- functions.
+ from <filename>/dev/random</filename>. This can result in
+ weak keys if the system lacks a proper entropy source (e.g., a
+ virtual machine with solid state storage). Depending on local
+ policies, keys generated by these OpenSSL tools should not be
+ used in high-value, critical functions.
</para>
<para>
The OpenSSL server and client applications (<command>openssl