On 05/04/18 18:11, Christopher Schultz wrote: <snip/>
> Tomcat allows libapr to give access to the OpenSSL PRNG for > random-generation of things like session ids, right? I thought there was > an option in there in the past for something like that, but I can't seem > to find it right now. The page for <Manager> seems to indicate that > java.security.SecureRandom (or compatible instance from an explicit > Provider) will always be used, so maybe that's no longer a thing. I too thought this an option in the past but I can't find any code that ever implemented it. > This article also mentions that "just use[ing] OpenSSL" for website > security is appropriate. From that, I'm assuming that OpenSSL's TLS > implementation uses the OS's source of randomness (e.g. /dev/urandom) > rather than its own. > > Are there any instances where Tomcat is using OpenSSL's random-number > generator? Just curious. Not that I can find. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
