All, I had never seen anyone mention this, but ...
http://latacora.singles/2018/04/03/cryptographic-right-answers.html The first reference to "openssl" in the page recommends against using the RNG from that library. This is a cryptographer author, so I assume that "RNG" means something different than PRNG? That doesn't make much sense to me, but I'm not a cryptographer... I can't find a reference to anything but the PRNG in OpenSSL, so I'm going to assume they are the same thing. Tomcat allows libapr to give access to the OpenSSL PRNG for random-generation of things like session ids, right? I thought there was an option in there in the past for something like that, but I can't seem to find it right now. The page for <Manager> seems to indicate that java.security.SecureRandom (or compatible instance from an explicit Provider) will always be used, so maybe that's no longer a thing. This article also mentions that "just use[ing] OpenSSL" for website security is appropriate. From that, I'm assuming that OpenSSL's TLS implementation uses the OS's source of randomness (e.g. /dev/urandom) rather than its own. Are there any instances where Tomcat is using OpenSSL's random-number generator? Just curious. -chris --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
