SSL Randomness Source

Igor Sysoev igor at sysoev.ru
Wed Jul 14 16:44:53 MSD 2010


On Wed, Jul 14, 2010 at 01:11:37PM +0100, Dave Barton wrote:

> We currently run nginx on the majority of our internet-facing webservers 
> and we process a lot of SSL traffic. That's a lot of SSL handshakes and 
> a lot of entropy required. To help with this, we've bought some USB 
> pseudo-random entropy generating keys. These basically give the server a 
> fast source of entropy, which can be accessed via /dev/random.
> 
> In Apache, the SSL configuration includes a directive 'SSLRandomSeed' 
> which allows you to define a source for randomness, with the default 
> being 'builtin' which uses some Apache internals as a PRNG. It includes 
> options to use a filesystem location (/dev/random for example) or an egd 
> (entropy daemon) source.
> 
> Can anyone tell me where nginx SSL gets its entropy from by default and 
> whether it can be changed?

nginx uses OpenSSL default entropy source. On Unix systems OpenSSL tries
to use /dev/urandom, /dev/random, /dev/srandom one after another.
On FreeBSD /dev/urandom is symlink to /dev/random.


-- 
Igor Sysoev
http://sysoev.ru/en/



More information about the nginx mailing list