www.rodneybeede.com "I would love to change the world, but they won't give me the source code" - unknown
 Navigation

Java ignores /dev/urandom or slow Tomcat SHA1PRNG SSL - Last Modified 2011-04-13 23:08 UTC - Created 2011-04-13 23:05 UTC

I discovered that since Java 1.5 Sun decided to make some hack that always ignores /dev/urandom as a possible device for SHA1PRNG.

Perhaps a good choice for security reasons, but if you have Tomcat in a development environment, and you wanted to test SSL it can take Tomcat forever to startup due to it waiting on entropy.

The recommended solutions online must have been written back in Java 1.4 with Tomcat days where you could set RANDFILE or -Djava.security.egd=file:/dev/urandom, etc. to fix it. However using "/dev/urandom" is ignored as per http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6202721.

Some people like to use /dev/./urandom to fool Java into not overridding it with /dev/random. Others even use /dev/zero. Annoying that Sun decided this isn't a bug and didn't ever bother to document this anywhere like in the java.security file.

Options to fix:

  1. Leave it as is where /dev/random is used (even if set to /dev/urandom) and use some third party tool to introduce sufficient random entropy into your system so /dev/random doesn't block so slowly
  2. Modify jre/lib/security/java.security file so line securerandom.source=file:/dev/./urandom
  3. Pass in -Djava.security.egd=file:/dev/./urandom

#1 is your best option to get real security. The other options are useful for test/dev environments where you aren't using real SSL certificates and security doesn't matter.