All,
I had never seen anyone mention this, but ...
http://latacora.singles/2018/04/03/cryptographic-right-answers.html
The first reference to "openssl" in the page recommends against using
the RNG from that library. This is a cryptographer author, so I assume
that "RNG" means something different than PRNG? That doesn't make much
sense to me, but I'm not a cryptographer...
I can't find a reference to anything but the PRNG in OpenSSL, so I'm
going to assume they are the same thing.
Tomcat allows libapr to give access to the OpenSSL PRNG for
random-generation of things like session ids, right? I thought there was
an option in there in the past for something like that, but I can't seem
to find it right now. The page for seems to indicate that
java.security.SecureRandom (or compatible instance from an explicit
Provider) will always be used, so maybe that's no longer a thing.
This article also mentions that "just use[ing] OpenSSL" for website
security is appropriate. From that, I'm assuming that OpenSSL's TLS
implementation uses the OS's source of randomness (e.g. /dev/urandom)
rather than its own.
Are there any instances where Tomcat is using OpenSSL's random-number
generator? Just curious.
-chris
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
