diff -U4 -r exim-4.68/src/tls-openssl.c exim-4.68+openssl-hwrng/src/tls-openssl.c
--- exim-4.68/src/tls-openssl.c	2007-08-30 15:31:06.000000000 +0100
+++ exim-4.68+openssl-hwrng/src/tls-openssl.c	2007-11-10 16:01:23.000000000 +0000
@@ -292,8 +292,10 @@
 static int
 tls_init(host_item *host, uschar *dhparam, uschar *certificate,
   uschar *privatekey, address_item *addr)
 {
+int hwrng;
+
 SSL_load_error_strings();          /* basic set up */
 OpenSSL_add_ssl_algorithms();
 
 /* Create a context */
@@ -310,17 +312,38 @@
 On systems that have /dev/urandom, SSL may automatically seed itself from
 there. Otherwise, we have to make something up as best we can. Double check
 afterwards. */
 
+hwrng = open("/dev/hwrng", O_RDONLY);
+if (hwrng)
+  {
+  void *buf = malloc(4096);
+  int hwrng_read;
+
+  if (buf)
+    {
+    hwrng_read = read(hwrng, buf, 4096);
+    if (hwrng_read > 0)
+      RAND_add(buf, hwrng_read, hwrng_read);
+    free(buf);
+    }
+  close(hwrng);
+  }
+
 if (!RAND_status())
   {
-  randstuff r;
-  r.t = time(NULL);
-  r.p = getpid();
-
-  RAND_seed((uschar *)(&r), sizeof(r));
-  RAND_seed((uschar *)big_buffer, big_buffer_size);
-  if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
+
+  /* Don't use an inferior seed if we used the hwrng. */
+  if (!hwrng)
+    {
+    randstuff r;
+    r.t = time(NULL);
+    r.p = getpid();
+
+    RAND_seed((uschar *)(&r), sizeof(r));
+    RAND_seed((uschar *)big_buffer, big_buffer_size);
+    if (addr != NULL) RAND_seed((uschar *)addr, sizeof(addr));
+    }
 
   if (!RAND_status())
     {
     if (host == NULL)