[
https://issues.apache.org/jira/browse/SOLR-2019?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12893210#action_12893210
]
Uwe Schindler commented on SOLR-2019:
-------------------------------------
I see no problem in havin an insecure hash generator for session ids. When
tests are running, the jetty is localhost only and never in production. So in
my opinion, the first patch without sysprops is perfectly fine. There is
nothing insecure in it.
> Jetty sometimes randomly takes a long time to start
> ---------------------------------------------------
>
> Key: SOLR-2019
> URL: https://issues.apache.org/jira/browse/SOLR-2019
> Project: Solr
> Issue Type: Bug
> Reporter: Michael McCandless
> Fix For: 3.1, 4.0
>
> Attachments: SOLR-2019.patch, SOLR-2019_insecure.patch
>
>
> I'm hitting this Jetty issue when running Solr's tests that spawn a Jetty:
> http://jira.codehaus.org/browse/JETTY-331
> It seems to be caused by this root cause:
> http://bugs.sun.com/view_bug.do?bug_id=6202721
> Whereby, somehow, Jetty is trying to use cryptographically secure source of
> randomness to seed seed its HashSessionIdManager. My box doesn't have enough
> entropy so the read blocks for sometimes 10s of seconds!
> If I forcefully symlink /dev/random -> /dev/urandom, that fixes the hang.
> Likewise, if I edit the JRE's java.security to set
> securerandom.source=file:/dev/./urandom, that also fixes it. But I think we
> can workaround this more "generally" by doing the workaround suggested in the
> Jetty issue (pass java.util.Random not java.security.SecureRandom).
> However, it's still not clear how widespread / what evns this issue really
> affects (besides mine)...
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
