geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevan Miller <kevan.mil...@gmail.com>
Subject Re: low entropy on linux systems
Date Thu, 18 Aug 2011 15:47:39 GMT

On Aug 18, 2011, at 1:06 AM, Shawn Jiang wrote:

> This could increase the linux start up speed significantly.   Does anyone know is it
safe to add "-Djava.security.egd=file:/dev/./urandom"  to our startup script directly.   

> 
> Don't know if it will break something on other linux/unix platforms.

IIRC, some unix variants don't have a /dev/urandom. I don't think these environments are very
popular. I would expect these environments would have fairly obvious failures and could be
diagnosed, fairly easily. 

I suppose that there is some possibility that urandom will generate a less secure seed for
the SSL server socket. I've never heard of any concerns about this, but that doesn't mean
it doesn't exist. 

This is a long standing problem. And Java has not chosen to do anything about it. I know some
servers have used a similar approach. Others, e.g. Tomcat, have left it up to users/admins.

Given the number of times we bump into this issue, I'd say that setting "-Djava.security.egd=file:/dev/./urandom"
is likely to do more good than harm.

--kevan
Mime
View raw message