Remove RANDFILE settings from configuration files

OpenSSL 1.1.1 introduced a new CSPRNG with an improved seeding mechanism, which makes it dispensable to define a RANDFILE for saving and restoring randomness. This commit removes the RANDFILE declarations from our own configuration files and adds documentation that this option is not needed anymore and retained mainly for compatibility reasons. Fixes #10433 Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10436)
author: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> 2019-11-13 16:02:09 +0100
committer: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> 2019-11-24 08:35:14 +0100
commit: 23f3993127c0a05651e28701d91edb478ebe6efa (patch)
tree: 6ee21d66ade039064e05a0078ca8c526b650d3af /doc
parent: 0c080f73e8fc3cf7e73a42b15011d8a0a0c8aab7 (diff)
4 files changed, 25 insertions, 9 deletions
diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in
index 6df41d897f..c439fde5d9 100644
--- a/doc/man1/openssl-ca.pod.in
+++ b/doc/man1/openssl-ca.pod.in
@@ -446,7 +446,8 @@ CA private key. Mandatory.
 =item B<RANDFILE>
 
 At startup the specified file is loaded into the random number generator,
-and at exit 256 bytes will be written to it.
+and at exit 256 bytes will be written to it. (Note: Using a RANDFILE is
+not necessary anymore, see the L</HISTORY> section.
 
 =item B<default_days>
 
@@ -654,7 +655,6 @@ A sample configuration file with the relevant sections for this command:
  serial         = $dir/serial           # serial no file
  #rand_serial    = yes                  # for random serial#'s
  private_key    = $dir/private/cakey.pem# CA private key
- RANDFILE       = $dir/private/.rand    # random number file
 
  default_days   = 365                   # how long to certify for
  default_crl_days= 30                   # how long before next CRL
@@ -690,7 +690,6 @@ The values below reflect the default values.
  ./demoCA/index.txt             - CA text database file
  ./demoCA/index.txt.old         - CA text database backup file
  ./demoCA/certs                 - certificate output file
- ./demoCA/.rnd                  - CA random seed information
 
 =head1 RESTRICTIONS
 
@@ -767,6 +766,11 @@ B<-enddate> and B<-days>) will be encoded as UTCTime if the dates are
 earlier than year 2049 (included), and as GeneralizedTime if the dates
 are in year 2050 or later.
 
+OpenSSL 1.1.1 introduced a new random generator (CSPRNG) with an improved
+seeding mechanism. The new seeding mechanism makes it unnecessary to
+define a RANDFILE for saving and restoring randomness. This option is
+retained mainly for compatibility reasons.
+
 =head1 SEE ALSO
 
 L<openssl(1)>,
diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in
index 8ca4acc111..83aa1ad54e 100644
--- a/doc/man1/openssl-req.pod.in
+++ b/doc/man1/openssl-req.pod.in
@@ -592,8 +592,6 @@ Sample configuration file prompting for field values:
 Sample configuration containing all field values:
 
 
- RANDFILE               = $ENV::HOME/.rnd
-
  [ req ]
  default_bits           = 2048
  default_keyfile        = keyfile.pem
diff --git a/doc/man1/openssl-ts.pod.in b/doc/man1/openssl-ts.pod.in
index 035763260d..6827fe84d1 100644
--- a/doc/man1/openssl-ts.pod.in
+++ b/doc/man1/openssl-ts.pod.in
@@ -403,15 +403,23 @@ section can be overridden with the B<-section> command line switch. (Optional)
 
 =item B<oid_file>
 
-See L<openssl-ca(1)> for description. (Optional)
+This specifies a file containing additional B<OBJECT IDENTIFIERS>.
+Each line of the file should consist of the numerical form of the
+object identifier followed by white space then the short name followed
+by white space and finally the long name. (Optional)
 
 =item B<oid_section>
 
-See L<openssl-ca(1)> for description. (Optional)
+This specifies a section in the configuration file containing extra
+object identifiers. Each line should consist of the short name of the
+object identifier followed by B<=> and the numerical form. The short
+and long names are the same when this option is used. (Optional)
 
 =item B<RANDFILE>
 
-See L<openssl-ca(1)> for description. (Optional)
+At startup the specified file is loaded into the random number generator,
+and at exit 256 bytes will be written to it. (Note: Using a RANDFILE is
+not necessary anymore, see the L</HISTORY> section.
 
 =item B<serial>
 
@@ -644,6 +652,13 @@ test/testtsa).
 
 =back
 
+=head1 HISTORY
+
+OpenSSL 1.1.1 introduced a new random generator (CSPRNG) with an improved
+seeding mechanism. The new seeding mechanism makes it unnecessary to
+define a RANDFILE for saving and restoring randomness. This option is
+retained mainly for compatibility reasons.
+
 =head1 SEE ALSO
 
 L<openssl(1)>,
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
index 4b8465594a..1776439edd 100644
--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
@@ -416,7 +416,6 @@ mentioned above.
  # This is the default section.
 
  HOME=/temp
- RANDFILE= ${ENV::HOME}/.rnd
  configdir=$ENV::HOME/config
 
  [ section_one ]
author	Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>	2019-11-13 16:02:09 +0100
committer	Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>	2019-11-24 08:35:14 +0100
commit	23f3993127c0a05651e28701d91edb478ebe6efa (patch)
tree	6ee21d66ade039064e05a0078ca8c526b650d3af /doc
parent	0c080f73e8fc3cf7e73a42b15011d8a0a0c8aab7 (diff)