Repository : http://git.fedorahosted.org/git/?p=secure-coding.git On branch : master commit 7f640d95375def0979c9f6a12c02cd414fe1eb7e Author: Florian Weimer <fweimer(a)redhat.com&gt; Date: Mon Apr 28 15:41:05 2014 +0200 TLS: More balanced advice on "openssl genrsa" and /dev/urandom defensive-coding/en-US/Features-TLS.xml | 8 +++++--- 1 files changed, 5 insertions(+), 3 deletions(-) diff --git a/defensive-coding/en-US/Features-TLS.xml b/defensive-coding/en-US/Features-TLS.xml index f4da007..5d9e39d 100644 --- a/defensive-coding/en-US/Features-TLS.xml +++ b/defensive-coding/en-US/Features-TLS.xml @@ -190,9 +190,11 @@ genrsa</command>, do not ensure that physical entropy is used for key generation—they obtain entropy from <filename>/dev/urandom</filename> and other sources, but not - from <filename>/dev/random</filename>. Keys generated by - these tools should not be used in high-value, critical - functions. + from <filename>/dev/random</filename>. This can result in + weak keys if the system lacks a proper entropy source (e.g., a + virtual machine with solid state storage). Depending on local + policies, keys generated by these OpenSSL tools should not be + used in high-value, critical functions. </para> <para> The OpenSSL server and client applications (<command>openssl