Specifies the absolute path for the entropy-source file or device used as a seed for SSL key generation.
Valid Values
string | RANDFILE
where:
string
is the absolute path for the entropy-source file or device that seeds the random number generator used for SSL key generation.
Behavior
If set to string, the specified entropy-source file or device seeds the random number generator used for SSL key generation. Entropy levels and behavior may vary for different files and devices. See the following section for a list of commonly used entropy sources and their behavior.
If set to RANDFILE, the RAND_file_name() function in your application generates a default path for the random seed file. The seed file is $RANDFILE if that environment variable is set; otherwise, it is $HOME/.rnd. If $HOME is not set either, an error occurs.
Common Valid Values
Although other entropy-source files may be specified, the following valid values are for files and devices that are commonly used for seeding:
/dev/random
is a pseudorandom number generator (blocking) that creates a seed from random bits of environmental noise it collects in an entropy pool. When there is insufficient noise in the pool, the file blocks calls until enough noise is collected. This provides more secure SSL key generation, but at the expense of blocked calls.
/dev/urandom
is a pseudorandom number generator (non-blocking) that creates seeds from random bits from environmental noise it collects in an entropy pool. When there is insufficient noise in the pool, the file reuses bits from the pool instead of blocking calls. This eliminates potential delays associated with blocked calls, but may result in less secure SSL key generation.
/dev/hwrng
is a hardware random number generator. The behavior is dependent on the device used in your environment.
Notes
This option is ignored when SSL is disabled (EncryptionMethod=0) or the seed source is set to Poll Only (PRNGSeedSource=1).
For processes that employ multiple SSL-enabled drivers, the behavior of this option for all drivers is determined by the values specified for the driver that first connects to the process and loads the OpenSSL library. Since the OpenSSL library loads only once per process, the values specified for drivers that subsequently connect are ignored. To ensure that the correct security settings are used, we recommend configuring this option identically for all drivers used in a process.