On 17/02/2021 21:58, Christopher Schultz wrote: <snip/>
>> Yeah, creation on demand would be nice but it currently requires OpenSSL >> which isn't guaranteed to be available. > > Why not keytool or a "simple" Java driver to do the same? > >> The entropy issue is a larger concern. > > Yup. Unless we can convince the system to use /dev/urandom for key > generation, which is something we *always* recommend against, and for > good reason. > > If we write our own cert-creator, perhaps we can rig it to use an awful > source of entropy so it's nice and fast. As is pretty much always the case, someone else has made the point I'd like to make in response and far more eloquently than I ever could: https://xkcd.com/1205/ The only thing I'd like to add is that generating new certs on the fly every time is going require compute time/energy on every test run. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
