http://www.placenet.org/benoit/index.php/ fr Sat, 09 Aug 2008 08:26:39 +0200 http://blogs.law.harvard.edu/tech/rss Dotclear http://www.placenet.org/benoit/index.php/post/2008/05/14/lets-drop-openssl urn:md5:df92679804d40407628cca57de03e0fb Wed, 14 May 2008 10:50:00 +0200 Benoît Dejean bugopenssl <p>About <a href="http://www.debian.org/security/2008/dsa-1571">DSA-1571 openssl </a>, <del>I totally aggree with <a href="http://blog.drinsama.de/erich/en/linux/2008051401-debian-openssl-desaster">Eric</a> ... openssl is just like this <a href="http://www.xkcd.com/221/">XKCD strip</a>. So whatever distro you run, cross your fingers while you generate your keys from so-called uninitialized memory so it's uninitialized enough. Why don't we just drop openssl ?</del></p> <p>PS: http://wiki.debian.org/SSLkeys gives better explanation. The problem is that one of the cleanups is harmless, while the other one actually commented the code that seeds the PRNG with real entropy. Ouch.</p>