Name: gm110360 Date: 06/20/2002


FULL PRODUCT VERSION :
> java -version
java version "1.4.0"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.0-b92)
Java HotSpot(TM) Client VM (build 1.4.0-b92, mixed mode)


FULL OPERATING SYSTEM VERSION :
[fjo@maren jObj]$ uname -r -s -p
Linux 2.4.9-34 unknown

On intel pIII

A DESCRIPTION OF THE PROBLEM :
I'm using SSL to access a webbserver and https:// urls,
which is now available by default and use the
com.sun.net.ssl package I believe.

The problem is that the SecureRandom number generator which
is used to create the connection is seeded from the blocking
random device /dev/random. This causes an application using
SSL urls to hang anything from seconds to several minutes
depending on how much randomness is available on the first
access of a https url.

I believe all linuxes has /dev/urandom today, and hopefully
so will Solaris in the next versions (there is a patch for
it). If SecureRandom was seeded from /dev/urandom instead
the performance would increase incredibly.

So basically, please use /dev/urandom prior to /dev/random
if it exists. There are too many asking for randomness
nowadays to use /dev/random. The increased security of using
/dev/random for seeding must be rather negligible and right
now the performance of setting up a connection is so bad
that I may not be able to use SSL at all, which doesn't
really improve security.


STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1.Use any api that accesses an url and access a https one.
It is a documented "feature", I simply ask it to be resolved.



REPRODUCIBILITY :
This bug can be reproduced always.
(Review ID: 153694)
======================================================================