[New-bugs-announce] [issue20952] OpenSSL and RDRAND
Jeffrey Walton
report at bugs.python.org
Sun Mar 16 23:43:43 CET 2014
New submission from Jeffrey Walton:
Some versions of OpenSSL use the RDRAND engine by default. The versions include openssl-1.0.1-beta1 through openssl-1.0.1f.
RDRAND has taken some criticism because its essentially unaudited and it could be spiked like the Dual-EC generator (http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html).
If the RDRAND engine is in effect, then the application and the library (internally) will be using the generator. But some some folks don't want to use an unaudited generator.
I'm not sure what the best action is to take. For reading on ways to disable the RDRAND engine, see http://seclists.org/fulldisclosure/2013/Dec/142.
----------
components: Extension Modules
messages: 213769
nosy: Jeffrey.Walton
priority: normal
severity: normal
status: open
title: OpenSSL and RDRAND
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue20952>
_______________________________________
More information about the New-bugs-announce
mailing list