From: KOSAKI Motohiro <kosaki.motohiro@...>
Date: 2016-05-04T22:27:43+09:00
Subject: [ruby-core:75348] Re: [Ruby trunk Bug#9569] SecureRandom should try /dev/urandom first

> Delan Azabani wrote:
>> Changing the order of `SecureRandom.gen_random` should be enough to fix this bug, but I would also suggest adding `arc4random(3)` or `getentropy(2)` to the collection of system calls tried by `fill_random_bytes_syscall`, which will mitigate file descriptor exhaustion attacks for OpenBSD users.
>
> Nothing needs to be done on OpenBSD, since SecureRandom.random_bytes uses OpenSSL::Random.random_bytes, which calls RAND_bytes(3).  OpenBSD uses LibreSSL, which on OpenBSD has RAND_bytes(3) call arc4random_buf(3) which calls getentropy(2). OpenBSD's libssl already mitigates file descriptor exhaustion attacks.


Great.

This is what application developers want to (Open|Libre)SSL exactly.

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>