PRNGSeedFile
- Last Updated: October 3, 2020
- 3 minute read
- DataDirect Connectors
- ODBC
- Cloudera Impala 7.1
- dBase 7.1
- Flat files/Text 7.1
- MySQL 7.1
- Pervasive (Btrieve) 7.1
- XML 7.1
- Documentation
Attribute
PRNGSeedFile (PSF)
Purpose
Specifies the absolute path for the entropy-source file or device
used as a seed for TLS/SSL key generation.
Valid Values
string | RANDFILE
where:
- string
- is the absolute path for the entropy-source file or device that seeds the random number generator used for TLS/SSL key generation.
Behavior
If set to string, the specified entropy-source file or device seeds the random number generator used for TLS/SSL key generation. Entropy levels and behavior may vary for different files and devices. See the following section for a list of commonly used entropy sources and their behavior.
If set to RANDFILE, the RAND_file_name() function in
your application generates a default path for the random seed file. The seed file is
$RANDFILE if that environment variable is set; otherwise,
it is $HOME/.rnd. If $HOME is not set
either, an error occurs.
Common Valid Values
Although other entropy-source files may be specified, the following valid values are for files and devices that are commonly used for seeding:
- /dev/random
- is a pseudorandom number generator (blocking) that creates a seed from random bits of environmental noise it collects in an entropy pool. When there is insufficient noise in the pool, the file blocks calls until enough noise is collected. This provides more secure TLS/SSL key generation, but at the expense of blocked calls.
- /dev/urandom
- is a pseudorandom number generator (non-blocking) that creates seeds from random bits from environmental noise it collects in an entropy pool. When there is insufficient noise in the pool, the file reuses bits from the pool instead of blocking calls. This eliminates potential delays associated with blocked calls, but may result in less secure TLS/SSL key generation.
- /dev/hwrng
- is a hardware random number generator. The behavior is dependent on the device used in your environment.
Notes
- Warning: If you are distributing the driver with your application, you must prevent your end users from setting the value for the PRNGSeedFile option. The PRNGSeedFile option provides a method for you to specify a entropy-source file used for SSL encryption. However, if exposed, the option can be used to specify files that execute malicious or undesirable code. Refer to Security best practices for ODBC applications in the Progress DataDirect for ODBC Drivers Reference for more information.
- The value specified for this option should be an absolute path to a mounted drive.
- This option is ignored when TLS/SSL is disabled (EncryptionMethod=0) or the seed source is set to Poll Only (PRNGSeedSource=1).
- For processes that employ multiple TLS/SSL-enabled drivers, the behavior of this option for all drivers is determined by the values specified for the driver that first connects to the process and loads the OpenSSL library. Since the OpenSSL library loads only once per process, the values specified for drivers that subsequently connect are ignored. To ensure that the correct security settings are used, we recommend configuring this option identically for all drivers used in a process.
Default
/dev/random
GUI tab
NA