SSL Randomness Source

Dave Barton dave.barton at comodo.com
Wed Jul 14 17:00:16 MSD 2010


Thanks Igor. That's just what I needed.

Cheers

Dave

On 14/07/10 13:44, Igor Sysoev wrote:
> On Wed, Jul 14, 2010 at 01:11:37PM +0100, Dave Barton wrote:
>
>> We currently run nginx on the majority of our internet-facing webservers
>> and we process a lot of SSL traffic. That's a lot of SSL handshakes and
>> a lot of entropy required. To help with this, we've bought some USB
>> pseudo-random entropy generating keys. These basically give the server a
>> fast source of entropy, which can be accessed via /dev/random.
>>
>> In Apache, the SSL configuration includes a directive 'SSLRandomSeed'
>> which allows you to define a source for randomness, with the default
>> being 'builtin' which uses some Apache internals as a PRNG. It includes
>> options to use a filesystem location (/dev/random for example) or an egd
>> (entropy daemon) source.
>>
>> Can anyone tell me where nginx SSL gets its entropy from by default and
>> whether it can be changed?
>
> nginx uses OpenSSL default entropy source. On Unix systems OpenSSL tries
> to use /dev/urandom, /dev/random, /dev/srandom one after another.
> On FreeBSD /dev/urandom is symlink to /dev/random.
>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5860 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://nginx.org/pipermail/nginx/attachments/20100714/b8a59e72/attachment.bin>


More information about the nginx mailing list