[Bug 61072] New: SessionIdGeneratorBase will not use platform default SecureRandom algorithm for empty secureRandomAlgorithm attribute

Thu, 04 May 2017 22:29:25 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=61072

            Bug ID: 61072
           Summary: SessionIdGeneratorBase will not use platform default
                    SecureRandom algorithm for empty secureRandomAlgorithm
                    attribute
           Product: Tomcat 9
           Version: 9.0.0.M20
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: simon.bjor...@gmail.com
  Target Milestone: -----

Setting secureRandomAlgorithm to an empty string and not specifying
secureRandomProvider still seems to lead to SessionIdGeneratorBase creating its
SecureRandom instance using SecureRandom.getInstance("SHA1PRNG"), which is
contrary to the wording in the documentation saying "To specify that the
platform default should be used, do not set the secureRandomProvider attribute
and set this attribute to the empty string.". See the implementation of
SessionIdGeneratorBase.createSecureRandom(), where the "result = new
SecureRandom()" line doesn't seem to be triggered for this case
(secureRandomProvider=null, secureRandomAlgorithm="").

Getting the platform default SecureRandom algorithm is wanted on Linux systems
where /dev/random blocks or is slow, either due to misconfiguration or
exhaustion. See the latest comment on
http://bugs.java.com/view_bug.do?bug_id=4705093 for a description of the
current SecureRandom behavior. Regardless of that problem, and the motivation
it provides for being able to easily get a default algorithm SecureRandom, I
believe the former paragraph describes either a documentation or implementation
bug in itself, so unless requested I don't think it's necessary to prove in
this bug entry that Tomcat hangs on such a system. (Though it could be argued
that platform default SecureRandom would be a better default to make Tomcat
never block on /dev/random out-of-the-box.)

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to