java slow : entropy related issue

Question

I am running into an issue where java is slow when used over SSL. The solution is to add

-Djava.security.egd=file:/dev/./urandom

to java at the command line. Since I have multiple JVM's, I dont want to modify every single JVM to contain this string and hence would like to add it to the file

$JAVA_HOME/jre/lib/security/java.security

Now, the java.security file already contains

securerandom.source=file:/dev/urandom

Two questions on this :

1. Why and how is "/dev/urandom" different from "/dev/./urandom". Why doesnt java accept "/dev/urandom"
2. For the JVM's that I have running, how can I tell whether they are using the correct urandmon device (vs random)

Answer 1

This is actually a hack introduced into the JVM back in 1.3 or 1.4 days

http://bugs.sun.com/view_bug.do?bug_id=4705093

http://bugs.sun.com/view_bug.do?bug_id=6202721

The basic issue is that in the native JVM code they hardcoded /dev/urandom to actually use /dev/random to attempt to ensure sufficient entropy. Since /dev/urandom is supposed to be guaranteed not to block, this has the unintended consequence of blocking if not enough entropy is available.

The hardcoding looks specifically for the string /dev/urandom, so providing something that resolves to the same thing but doesn't match that causes the desired behavior. If you code /dev/./urandom you bypass the hardcoded aliasing and get to the intended urandom entropy source.