https://bz.apache.org/bugzilla/show_bug.cgi?id=65806
Bug ID: 65806 Summary: When running in FIPS mode on openjdk-17, SessionIdGeneratorBase.java thows SEVERE log messages Product: Tomcat 9 Version: unspecified Hardware: PC OS: Linux Status: NEW Severity: normal Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: sg...@apache.org Target Milestone: ----- Unless one changes default configuration, starting catalina in a fips-enabled machine with jdk-17 print 2 SEVERE errors in catalina.out per context initialized. The messages are generated in SessionIdGeneratorBase.java, and are caused by the fact that SHA1PRNG is missing in jdk-17. The messages are confusing, but harmless. The class will use the default SecureRandom (PKCS11) when SHA1PRNG is not found. Workaround: * For webapps that don't define a '<Context><Manager>', one can add '<Manager secureRandomAlgorithm=""/>' to conf/context.xml. This works for ROOT and examples in a default install * For webapps that define a '<Context><Manager>', set 'secureRandomAlgorithm=""' in META-INF/context.xml This works for manager and host-manager in a default install. The log spam could be managed by checking on initialization of the class if the initial value works, and special-casing it from SHA1PRNG to "" (maybe printing a warning) in case it doesn't. Also, I think the messages should be scaled down from SEVERE to INFO when the secureRandomAlgorithm value is SHA1PRNG, FIPS is enabled and the java version is jdk-17. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org