Lighttpd

Not a bug. This is a feature request, albeit a good one.

(moving to TLS category, though there are other modules that use /dev/random and probably should have an option to use other RNGs)

https://www.openssl.org/docs/faq.html

Many open source operating systems provide a "randomness device" (/dev/urandom or /dev/random) that serves this purpose. All OpenSSL versions try to use /dev/urandom by default; starting with version 0.9.7, OpenSSL also tries /dev/random if /dev/urandom is not available.

Modern CPUs have hardware RNGs built in.

https://wiki.openssl.org/index.php/Random_Numbers

By default, OpenSSL will use the RDRANG engine to generate random numbers if the hardware is available. The behavior has been changed, but the change is only available through git at the moment. If you are concerned with RDRANG tampering, then see the discussion of ENGINEs and RDRAND.

If you have OpenSSL 1.0.1 and a machine with 3rd generation Core i5 or i7 processor (Ivy Bridge), then the Intel Secure Key Technology (formerly called Bull Mountain) [disclaimer] is available to you.

https://wiki.openssl.org/index.php/Library_Initialization#ENGINEs_and_RDRAND

.

Keeping this open as a feature request to explicitly enable specifying use of RDRANG engine with hardware RNG.
I understand this request to be asking for something similar to the Apache SSLRandomSeed directive
https://httpd.apache.org/docs/current/en/mod/mod_ssl.html#sslrandomseed

Modern SSL libraries should handle this.

If more explicit configuration of the SSL libraries is needed for choosing random device, then please comment here, though such a request would likely be folded into a more generic feature request surrounding SSL library configuration in general.