Mihaly Toth created SOLR-10385:
----------------------------------
Summary: Random source for SecureRandom in production
Key: SOLR-10385
URL: https://issues.apache.org/jira/browse/SOLR-10385
Project: Solr
Issue Type: Improvement
Security Level: Public (Default Security Level. Issues are Public)
Reporter: Mihaly Toth
The current source of randomness for SecureRandom is blocking on some low
entropy devices. The question is how secure would it be to change to a
non-blocking source. Some relevant comments from prior art issues:
https://issues.apache.org/jira/browse/SOLR-10338?focusedCommentId=15945523&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15945523
https://issues.apache.org/jira/browse/SOLR-10352?focusedCommentId=15939053&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15939053
https://issues.apache.org/jira/browse/SOLR-10338?focusedCommentId=15945420&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15945420
https://issues.apache.org/jira/browse/SOLR-10338?focusedCommentId=15945467&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15945467
Also, let me quote here Apache HTTP Server's approach:
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslrandomseed
it seems to let the user decide which option to select
And a very good argumentation for {{/dev/urandom}}
http://www.2uo.de/myths-about-urandom/
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
