SSL Randomness Source
Igor Sysoev
igor at sysoev.ru
Wed Jul 14 16:44:53 MSD 2010
On Wed, Jul 14, 2010 at 01:11:37PM +0100, Dave Barton wrote:
> We currently run nginx on the majority of our internet-facing webservers
> and we process a lot of SSL traffic. That's a lot of SSL handshakes and
> a lot of entropy required. To help with this, we've bought some USB
> pseudo-random entropy generating keys. These basically give the server a
> fast source of entropy, which can be accessed via /dev/random.
>
> In Apache, the SSL configuration includes a directive 'SSLRandomSeed'
> which allows you to define a source for randomness, with the default
> being 'builtin' which uses some Apache internals as a PRNG. It includes
> options to use a filesystem location (/dev/random for example) or an egd
> (entropy daemon) source.
>
> Can anyone tell me where nginx SSL gets its entropy from by default and
> whether it can be changed?
nginx uses OpenSSL default entropy source. On Unix systems OpenSSL tries
to use /dev/urandom, /dev/random, /dev/srandom one after another.
On FreeBSD /dev/urandom is symlink to /dev/random.
--
Igor Sysoev
http://sysoev.ru/en/
More information about the nginx
mailing list