> Shouldn't it rely on the underlying operating
> system's secure RNG (for those that have one, which includes Debian)?
It does (see crypto/rand/rand_unix.c in openssl source code). But there gotta be some way in
which the random bytes obtained via various system-dependent methods to be put into one
coherent interface so that the remaining system independent code can use them.