Java ignores /dev/urandom or slow Tomcat SHA1PRNG SSL

Last Modified: Wed, 13 Apr 2011 23:08:07 +0000 ; Created: Wed, 13 Apr 2011 23:05:38 +0000

I discovered that since Java 1.5 Sun decided to make some hack that always ignores /dev/urandom as a possible device for SHA1PRNG.

Perhaps a good choice for security reasons, but if you have Tomcat in a development environment, and you wanted to test SSL it can take Tomcat forever to startup due to it waiting on entropy.

The recommended solutions online must have been written back in Java 1.4 with Tomcat days where you could set RANDFILE or, etc. to fix it. However using "/dev/urandom" is ignored as per

Some people like to use /dev/./urandom to fool Java into not overridding it with /dev/random. Others even use /dev/zero. Annoying that Sun decided this isn't a bug and didn't ever bother to document this anywhere like in the file.

Options to fix:

  1. Leave it as is where /dev/random is used (even if set to /dev/urandom) and use some third party tool to introduce sufficient random entropy into your system so /dev/random doesn't block so slowly
  2. Modify jre/lib/security/ file so line securerandom.source=file:/dev/./urandom
  3. Pass in

#1 is your best option to get real security. The other options are useful for test/dev environments where you aren't using real SSL certificates and security doesn't matter.