-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gregor,
On 12/20/11 12:51 PM, Gregor S. wrote: > Ok, it's not the best solution since AFAIK /dev/urandom is not the > most secure implementation, but at least it's working now. Yeah, it's a question of faster startup or "better" entropy. Everything is PRNGs, anyway. If you want real entropy, you have to listen to cosmic background radiation or something. > When reading the docs, I noticed that I also can specify the > SSLEngine to be used. > > The default one is the built-in-engine when specifying > SSLEngine="on". > > Now I'm wondering: > > When I compiled the APR against OpenSSL, is OpenSSL the one being > used when I specify "SSLEngine="on""? Or do I have to specify > something like "SSLEngine=/usr/bin/openssl""? No, you don't have to tell it to use OpenSSL -- it will definitely do that. The "engine" is the one to be used by OpenSSL. OpenSSL comes with a software engine (which you may just call OpenSSL) but it's plug-able and you can use a hardware engine with it, too (or any number of named engines that can provide certain crypto primitives). (I can't get httpd.apache.org to respond right now, so I can't look-up the docs for SSLEngine in the httpd documentation, but I believe there documentation might shed more light on your question). > Couldn't find anything on this topic in the docs. > > My hopes are, that OpenSSL is NOT the built-in-engine and if I > can specify to use OpenSSL as engine to be used, I don't have to > tweak Tomcat into using /dev/urandom. OpenSSL needs a source of entropy, and /dev/urandom will have to be used if your SSL can't be initialized quickly enough for you. > But I', afraif OpenSSL in my case equals to the built-in engine. Built-into OpenSSL, yes. Not built-into Java. Do you have an OpenSSL crypto provider that you'd like to use *besides* the software-based one? If so, that's where you'd specify it. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7w11IACgkQ9CaO5/Lv0PCoJQCfe+xgO6k5dvUWdCJJ44ql0zyV o30AnA1wFl0XwVoGlq9aR0VJNS7l7Eue =uOqS -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
