Thorsten Glaser wrote: > Florian Weimer dixit: > >Historically, the OpenSSL command line tools have been intended for > >debugging only. > > I disagree, in the case of genrsa and friends anyway.
Me too, and openssl(1ssl) does not mention debugging or not for production use or give any warnings. Also, openssl genpkey seems to have the same problem for RSA keys, and so does openssl dsaparam for DSA keys. Google has 96k hits for "openssl genrsa". The very second hit is a HOWTO generate RSA key located on .... openssl.org! (The same file is shipped as /usr/share/doc/openssl/HOWTO/keys.txt in Debian.) Also, /usr/sbin/make-ssl-cert uses openssl req, and strace shows it also reading only 32 bytes bits of entropy. ENTROPY_NEEDED is hardcoded to 32. -- see shy jo
signature.asc
Description: Digital signature
