OT: OpenSSL 1.0.1f

coderman coderman at gmail.com
Tue Jan 7 17:41:19 UTC 2014

On Tue, Jan 7, 2014 at 9:35 AM, coderman <coderman at gmail.com> wrote:
> in any case, end result: use 1.0.1f and be happy

and if concerned that your OS distribution or upstream OpenSSL lacks this fix,
 confirm yourself via openssl-1.0.1f/crypto/engine/eng_rdrand.c in patched src

if you see !ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL)
in the near bottom of file static int bind_helper(ENGINE *e){} definition,
 then you are safe from accidental use.

c.f. good ver: openssl-1.0.1f/crypto/engine/eng_rdrand.c
static int bind_helper(ENGINE *e)
        if (!ENGINE_set_id(e, engine_e_rdrand_id) ||
            !ENGINE_set_name(e, engine_e_rdrand_name) ||
            !ENGINE_set_flags(e, ENGINE_FLAGS_NO_REGISTER_ALL) ||
            !ENGINE_set_init_function(e, rdrand_init) ||
            !ENGINE_set_RAND(e, &rdrand_meth) )
                return 0;

        return 1;

More information about the nginx mailing list