[jira] [Created] (SOLR-10385) Random source for SecureRandom in production

Wed, 29 Mar 2017 05:57:01 -0700 

Mihaly Toth created SOLR-10385:
----------------------------------

             Summary: Random source for SecureRandom in production
                 Key: SOLR-10385
                 URL: https://issues.apache.org/jira/browse/SOLR-10385
             Project: Solr
          Issue Type: Improvement
      Security Level: Public (Default Security Level. Issues are Public)
            Reporter: Mihaly Toth


The current source of randomness for SecureRandom is blocking on some low 
entropy devices. The question is how secure would it be to change to a 
non-blocking source. Some relevant comments from prior art issues:

https://issues.apache.org/jira/browse/SOLR-10338?focusedCommentId=15945523&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15945523

https://issues.apache.org/jira/browse/SOLR-10352?focusedCommentId=15939053&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15939053

https://issues.apache.org/jira/browse/SOLR-10338?focusedCommentId=15945420&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15945420

https://issues.apache.org/jira/browse/SOLR-10338?focusedCommentId=15945467&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15945467

Also, let me quote here Apache HTTP Server's approach:
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslrandomseed
it seems to let the user decide which option to select

And a very good argumentation for {{/dev/urandom}}
http://www.2uo.de/myths-about-urandom/



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to