Mihaly Toth created SOLR-10385: ---------------------------------- Summary: Random source for SecureRandom in production Key: SOLR-10385 URL: https://issues.apache.org/jira/browse/SOLR-10385 Project: Solr Issue Type: Improvement Security Level: Public (Default Security Level. Issues are Public) Reporter: Mihaly Toth
The current source of randomness for SecureRandom is blocking on some low entropy devices. The question is how secure would it be to change to a non-blocking source. Some relevant comments from prior art issues: https://issues.apache.org/jira/browse/SOLR-10338?focusedCommentId=15945523&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15945523 https://issues.apache.org/jira/browse/SOLR-10352?focusedCommentId=15939053&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15939053 https://issues.apache.org/jira/browse/SOLR-10338?focusedCommentId=15945420&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15945420 https://issues.apache.org/jira/browse/SOLR-10338?focusedCommentId=15945467&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15945467 Also, let me quote here Apache HTTP Server's approach: https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslrandomseed it seems to let the user decide which option to select And a very good argumentation for {{/dev/urandom}} http://www.2uo.de/myths-about-urandom/ -- This message was sent by Atlassian JIRA (v6.3.15#6346) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org