Clue #1: if you move the mouse or type on the machine's keyboard, eventually the connection will complete.
Of course the reason for it hanging is that Java is using /dev/random to generate the keys for the SSL connection. And /dev/random gets all of its entropy from the physical environment, and refuses to return random values until it gets some input from the outside world.
We don't see this on a machine that boots from disk; I assume that /dev/random gets entropy from the interaction with the drive, via interrupts and so forth. For some reason the network activity doesn't yield the same entropy data, or at least not enough.
I found this article that discusses the usefulness of /dev/random given its current design.
In order to work around this, we decided to use /dev/urandom. We could do this by a link in the file system, but a much superior solution is to set the following system property in Java:
-Djava.security.egd=file:/dev/urandom
Now all you have to worry about is attacks against your SSL connection from those who know that you are using the pseudo-random number generator...
No comments:
Post a Comment