diff options
author | Bob Beck <beck@cvs.openbsd.org> | 2000-04-26 16:19:40 +0000 |
---|---|---|
committer | Bob Beck <beck@cvs.openbsd.org> | 2000-04-26 16:19:40 +0000 |
commit | ab63644bca0473543e1e6d26011978c17c007f04 (patch) | |
tree | 31f9b2d147c4d2a478b04f2f1c710ec99e2acb71 | |
parent | 2c237617ab49467923daf7a295ae0711c31d63c8 (diff) |
Add a section talking about random data sources, /dev/arandom, and what
happens when it's not there.
-rw-r--r-- | share/man/man8/ssl.8 | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/share/man/man8/ssl.8 b/share/man/man8/ssl.8 index 14040fb1d8c..f16f2318da2 100644 --- a/share/man/man8/ssl.8 +++ b/share/man/man8/ssl.8 @@ -118,6 +118,30 @@ See for more details on adding RSA capable libraries. Once your ssl libraries are updated, the ssl libraries will be fully functional. +.Sh RANDOM DATA SOURCE +OpenBSD uses the +.Xr arandom 4 +device as the default source for random data when needed by the routines in +libcrypto and libssl. If the +.Xr arandom 4 +device does not exist or is not readable, many of the routines will fail. +This is most commonly seen by users as the +.Ar RSA +routines failing in applications such as +.Xr ssh 1 , +and +.Xr httpd 8 , +even after the +.Ar RSA +capable versions of the library have been added to the system. +.Pp +It is important to remember when using a random data source for certificate +and key generation that the random data source should not be visible by +people who could duplicate the process and come up with the same result. +You should ensure that nobody who you don't trust is in a position to read +the same random data used by you to generate keys and certificates. See +.Xr openssl 1 +for more information on how to use different sources of random data. .Sh SERVER CERTIFICATES The most common uses of .Ar SSL/TLS @@ -264,6 +288,7 @@ Patents can be renewed. .Xr isakmpd 8 , .Xr pkg_add 1 , .Xr openssl 1 , +.Xr arandom 4, .Xr ssl 3 , .Xr rc 8 .Sh HISTORY |