On 05/04/18 18:11, Christopher Schultz wrote:


> Tomcat allows libapr to give access to the OpenSSL PRNG for
> random-generation of things like session ids, right? I thought there was
> an option in there in the past for something like that, but I can't seem
> to find it right now. The page for <Manager> seems to indicate that
> java.security.SecureRandom (or compatible instance from an explicit
> Provider) will always be used, so maybe that's no longer a thing.

 I too thought this an option in the past but I can't find any code that
ever implemented it.

> This article also mentions that "just use[ing] OpenSSL" for website
> security is appropriate. From that, I'm assuming that OpenSSL's TLS
> implementation uses the OS's source of randomness (e.g. /dev/urandom)
> rather than its own.
> Are there any instances where Tomcat is using OpenSSL's random-number
> generator? Just curious.

Not that I can find.


To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to