SSL Randomness Source

We currently run nginx on the majority of our internet-facing webservers
and we process a lot of SSL traffic. That’s a lot of SSL handshakes and
a lot of entropy required. To help with this, we’ve bought some USB
pseudo-random entropy generating keys. These basically give the server a
fast source of entropy, which can be accessed via /dev/random.

In Apache, the SSL configuration includes a directive ‘SSLRandomSeed’
which allows you to define a source for randomness, with the default
being ‘builtin’ which uses some Apache internals as a PRNG. It includes
options to use a filesystem location (/dev/random for example) or an egd
(entropy daemon) source.

Can anyone tell me where nginx SSL gets its entropy from by default and
whether it can be changed?

Cheers

Dave

On Wed, Jul 14, 2010 at 01:11:37PM +0100, Dave Barton wrote:

(entropy daemon) source.

Can anyone tell me where nginx SSL gets its entropy from by default and
whether it can be changed?

nginx uses OpenSSL default entropy source. On Unix systems OpenSSL tries
to use /dev/urandom, /dev/random, /dev/srandom one after another.
On FreeBSD /dev/urandom is symlink to /dev/random.


Igor S.
http://sysoev.ru/en/

Thanks Igor. That’s just what I needed.

Cheers

Dave

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs