diff --git a/.gitignore b/.gitignore
index 8629499c49..eb95e48bfe 100644
--- a/.gitignore
+++ b/.gitignore
@@ -124,7 +124,6 @@ doc/man1/openssl-x509.pod
/out32dll.dbg
/inc32
/MINFO
-/ms/.rnd
/ms/bcb.mak
/ms/libeay32.def
/ms/nt.mak
diff --git a/demos/certs/apps/apps.cnf b/demos/certs/apps/apps.cnf
index 531afe64b2..bd762b7ddc 100644
--- a/demos/certs/apps/apps.cnf
+++ b/demos/certs/apps/apps.cnf
@@ -5,7 +5,6 @@
# This definition stops the following lines choking if HOME or CN
# is undefined.
HOME = .
-RANDFILE = $ENV::HOME/.rnd
CN = "Not Defined"
####################################################################
diff --git a/demos/certs/ca.cnf b/demos/certs/ca.cnf
index 5a8a5f29ef..c75a71a6aa 100644
--- a/demos/certs/ca.cnf
+++ b/demos/certs/ca.cnf
@@ -5,7 +5,6 @@
# This definition stops the following lines choking if HOME or CN
# is undefined.
HOME = .
-RANDFILE = $ENV::HOME/.rnd
CN = "Not Defined"
default_ca = ca
diff --git a/doc/man1/openssl-ca.pod.in b/doc/man1/openssl-ca.pod.in
index 6df41d897f..c439fde5d9 100644
--- a/doc/man1/openssl-ca.pod.in
+++ b/doc/man1/openssl-ca.pod.in
@@ -446,7 +446,8 @@ CA private key. Mandatory.
=item B<RANDFILE>
At startup the specified file is loaded into the random number generator,
-and at exit 256 bytes will be written to it.
+and at exit 256 bytes will be written to it. (Note: Using a RANDFILE is
+not necessary anymore, see the L</HISTORY> section.
=item B<default_days>
@@ -654,7 +655,6 @@ A sample configuration file with the relevant sections for this command:
serial = $dir/serial # serial no file
#rand_serial = yes # for random serial#'s
private_key = $dir/private/cakey.pem# CA private key
- RANDFILE = $dir/private/.rand # random number file
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
@@ -690,7 +690,6 @@ The values below reflect the default values.
./demoCA/index.txt - CA text database file
./demoCA/index.txt.old - CA text database backup file
./demoCA/certs - certificate output file
- ./demoCA/.rnd - CA random seed information
=head1 RESTRICTIONS
@@ -767,6 +766,11 @@ B<-enddate> and B<-days>) will be encoded as UTCTime if the dates are
earlier than year 2049 (included), and as GeneralizedTime if the dates
are in year 2050 or later.
+OpenSSL 1.1.1 introduced a new random generator (CSPRNG) with an improved
+seeding mechanism. The new seeding mechanism makes it unnecessary to
+define a RANDFILE for saving and restoring randomness. This option is
+retained mainly for compatibility reasons.
+
=head1 SEE ALSO
L<openssl(1)>,
diff --git a/doc/man1/openssl-req.pod.in b/doc/man1/openssl-req.pod.in
index 8ca4acc111..83aa1ad54e 100644
--- a/doc/man1/openssl-req.pod.in
+++ b/doc/man1/openssl-req.pod.in
@@ -592,8 +592,6 @@ Sample configuration file prompting for field values:
Sample configuration containing all field values:
- RANDFILE = $ENV::HOME/.rnd
-
[ req ]
default_bits = 2048
default_keyfile = keyfile.pem
diff --git a/doc/man1/openssl-ts.pod.in b/doc/man1/openssl-ts.pod.in
index 035763260d..6827fe84d1 100644
--- a/doc/man1/openssl-ts.pod.in
+++ b/doc/man1/openssl-ts.pod.in
@@ -403,15 +403,23 @@ section can be overridden with the B<-section> command line switch. (Optional)
=item B<oid_file>
-See L<openssl-ca(1)> for description. (Optional)
+This specifies a file containing additional B<OBJECT IDENTIFIERS>.
+Each line of the file should consist of the numerical form of the
+object identifier followed by white space then the short name followed
+by white space and finally the long name. (Optional)
=item B<oid_section>
-See L<openssl-ca(1)> for description. (Optional)
+This specifies a section in the configuration file containing extra
+object identifiers. Each line should consist of the short name of the
+object identifier followed by B<=> and the numerical form. The short
+and long names are the same when this option is used. (Optional)
=item B<RANDFILE>
-See L<openssl-ca(1)> for description. (Optional)
+At startup the specified file is loaded into the random number generator,
+and at exit 256 bytes will be written to it. (Note: Using a RANDFILE is
+not necessary anymore, see the L</HISTORY> section.
=item B<serial>
@@ -644,6 +652,13 @@ test/testtsa).
=back
+=head1 HISTORY
+
+OpenSSL 1.1.1 introduced a new random generator (CSPRNG) with an improved
+seeding mechanism. The new seeding mechanism makes it unnecessary to
+define a RANDFILE for saving and restoring randomness. This option is
+retained mainly for compatibility reasons.
+
=head1 SEE ALSO
L<openssl(1)>,
diff --git a/doc/man5/config.pod b/doc/man5/config.pod
index 4b8465594a..1776439edd 100644
--- a/doc/man5/config.pod
+++ b/doc/man5/config.pod
@@ -416,7 +416,6 @@ mentioned above.
# This is the default section.
HOME=/temp
- RANDFILE= ${ENV::HOME}/.rnd
configdir=$ENV::HOME/config
[ section_one ]
diff --git a/test/CAss.cnf b/test/CAss.cnf
index b20a242760..8ca62b5cf7 100644
--- a/test/CAss.cnf
+++ b/test/CAss.cnf
@@ -3,8 +3,6 @@
# This is mostly being used for generation of certificate requests.
#
-RANDFILE = ./.rnd
-
####################################################################
[ req ]
default_bits = 2048
@@ -43,7 +41,6 @@ certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
-RANDFILE = $dir/private/.rand # private random number file
x509_extensions = v3_ca # The extensions to add to the cert
diff --git a/test/CAssdh.cnf b/test/CAssdh.cnf
index 4e0a908679..7c08a6e1cc 100644
--- a/test/CAssdh.cnf
+++ b/test/CAssdh.cnf
@@ -4,8 +4,6 @@
#
# hacked by iang to do DH certs - CA
-RANDFILE = ./.rnd
-
####################################################################
[ req ]
distinguished_name = req_distinguished_name
diff --git a/test/CAssdsa.cnf b/test/CAssdsa.cnf
index a6b4d1810c..8328abd7b4 100644
--- a/test/CAssdsa.cnf
+++ b/test/CAssdsa.cnf
@@ -4,8 +4,6 @@
#
# hacked by iang to do DSA certs - CA
-RANDFILE = ./.rnd
-
####################################################################
[ req ]
distinguished_name = req_distinguished_name
diff --git a/test/CAssrsa.cnf b/test/CAssrsa.cnf
index eb24a6dfc0..d5aa20a72b 100644
--- a/test/CAssrsa.cnf
+++ b/test/CAssrsa.cnf
@@ -4,8 +4,6 @@
#
# create RSA certs - CA
-RANDFILE = ./.rnd
-
####################################################################
[ req ]
distinguished_name = req_distinguished_name
diff --git a/test/CAtsa.cnf b/test/CAtsa.cnf
index d1642879be..e7ca8c5a1e 100644
--- a/test/CAtsa.cnf
+++ b/test/CAtsa.cnf
@@ -3,8 +3,6 @@
# This config is used by the Time Stamp Authority tests.
#
-RANDFILE = ./.rnd
-
# Extra OBJECT IDENTIFIER info:
oid_section = new_oids
@@ -32,7 +30,6 @@ new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
private_key = $dir/private/cakey.pem# The private key
-RANDFILE = $dir/private/.rand # private random number file
default_days = 365 # how long to certify for
default_md = sha256 # which md to use.
diff --git a/test/P1ss.cnf b/test/P1ss.cnf
index e6118dc816..03f3cdb1ad 100644
--- a/test/P1ss.cnf
+++ b/test/P1ss.cnf
@@ -3,8 +3,6 @@
# This is mostly being used for generation of certificate requests.
#
-RANDFILE = ./.rnd
-
####################################################################
[ req ]
default_bits = 2048
diff --git a/test/P2ss.cnf b/test/P2ss.cnf
index d530e31f99..5adaecc7d5 100644
--- a/test/P2ss.cnf
+++ b/test/P2ss.cnf
@@ -3,8 +3,6 @@
# This is mostly being used for generation of certificate requests.
#
-RANDFILE = ./.rnd
-
####################################################################
[ req ]
default_bits = 2048
diff --git a/test/Sssdsa.cnf b/test/Sssdsa.cnf
index 8e170a28ef..2fb35e0880 100644
--- a/test/Sssdsa.cnf
+++ b/test/Sssdsa.cnf
@@ -4,8 +4,6 @@
#
# hacked by iang to do DSA certs - Server
-RANDFILE = ./.rnd
-
####################################################################
[ req ]
distinguished_name = req_distinguished_name
diff --git a/test/Sssrsa.cnf b/test/Sssrsa.cnf
index 8c79a03fca..f2b6e72b91 100644
--- a/test/Sssrsa.cnf
+++ b/test/Sssrsa.cnf
@@ -4,8 +4,6 @@
#
# create RSA certs - Server
-RANDFILE = ./.rnd
-
####################################################################
[ req ]
distinguished_name = req_distinguished_name
diff --git a/test/Uss.cnf b/test/Uss.cnf
index f655e7448d..27517bd106 100644
--- a/test/Uss.cnf
+++ b/test/Uss.cnf
@@ -3,7 +3,6 @@
# This is mostly being used for generation of certificate requests.
#
-RANDFILE = ./.rnd
CN2 = Brother 2
####################################################################
diff --git a/test/conf_include_test.c b/test/conf_include_test.c
index 16459c46d7..0cf8d49740 100644
--- a/test/conf_include_test.c
+++ b/test/conf_include_test.c
@@ -90,13 +90,6 @@ static int test_load_config(void)
return 0;
}
- /* verify whether RANDFILE is set correctly */
- str = NCONF_get_string(conf, "", "RANDFILE");
- if (!TEST_ptr(str) || !TEST_str_eq(str, "./.rnd")) {
- TEST_note("RANDFILE incorrect");
- return 0;
- }
-
/* verify whether CA_default/default_days is set */
val = 0;
if (!TEST_int_eq(NCONF_get_number(conf, "CA_default", "default_days", &val), 1)
diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t
index 6da8e897f5..0e085b435d 100644
--- a/test/recipes/25-test_req.t
+++ b/test/recipes/25-test_req.t
@@ -19,10 +19,6 @@ plan tests => 13;
require_ok(srctop_file('test','recipes','tconversion.pl'));
-open RND, ">>", ".rnd";
-print RND "string to make the random number generator think it has randomness";
-close RND;
-
# What type of key to generate?
my @req_new;
if (disabled("rsa")) {
diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t
index 0290b489eb..2d213b7daa 100644
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@@ -100,10 +100,6 @@ testssl("keyU.ss", $Ucert, $CAcert);
# -----------
# subtest functions
sub testss {
- open RND, ">>", ".rnd";
- print RND "string to make the random number generator think it has randomness";
- close RND;
-
my @req_dsa = ("-newkey",
"dsa:".srctop_file("apps", "dsa1024.pem"));
my $dsaparams = srctop_file("apps", "dsa1024.pem");
diff --git a/test/recipes/90-test_includes_data/conf-includes/includes1.cnf b/test/recipes/90-test_includes_data/conf-includes/includes1.cnf
index 66c89006d0..5959b23e4b 100644
--- a/test/recipes/90-test_includes_data/conf-includes/includes1.cnf
+++ b/test/recipes/90-test_includes_data/conf-includes/includes1.cnf
@@ -4,8 +4,6 @@
# This is mostly being used for generation of certificate requests.
#
-RANDFILE = ./.rnd
-
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
@@ -23,7 +21,6 @@ certificate = $dir/CAcert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/CAkey.pem# The private key
-RANDFILE = $dir/private/.rand # private random number file
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
diff --git a/test/smime-certs/ca.cnf b/test/smime-certs/ca.cnf
index 835b2c672d..00d40e7479 100644
--- a/test/smime-certs/ca.cnf
+++ b/test/smime-certs/ca.cnf
@@ -5,7 +5,6 @@
# This definition stops the following lines choking if HOME or CN
# is undefined.
HOME = .
-RANDFILE = $ENV::HOME/.rnd
CN = "Not Defined"
default_ca = ca
diff --git a/test/test.cnf b/test/test.cnf
index 718b0bf1f2..1e2fa31cce 100644
--- a/test/test.cnf
+++ b/test/test.cnf
@@ -3,8 +3,6 @@
# This is mostly being used for generation of certificate requests.
#
-RANDFILE = ./.rnd
-
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
@@ -22,7 +20,6 @@ certificate = $dir/CAcert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/CAkey.pem# The private key
-RANDFILE = $dir/private/.rand # private random number file
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL