I had never seen anyone mention this, but ...

The first reference to "openssl" in the page recommends against using
the RNG from that library. This is a cryptographer author, so I assume
that "RNG" means something different than PRNG? That doesn't make much
sense to me, but I'm not a cryptographer...

I can't find a reference to anything but the PRNG in OpenSSL, so I'm
going to assume they are the same thing.

Tomcat allows libapr to give access to the OpenSSL PRNG for
random-generation of things like session ids, right? I thought there was
an option in there in the past for something like that, but I can't seem
to find it right now. The page for <Manager> seems to indicate that (or compatible instance from an explicit
Provider) will always be used, so maybe that's no longer a thing.

This article also mentions that "just use[ing] OpenSSL" for website
security is appropriate. From that, I'm assuming that OpenSSL's TLS
implementation uses the OS's source of randomness (e.g. /dev/urandom)
rather than its own.

Are there any instances where Tomcat is using OpenSSL's random-number
generator? Just curious.


To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to