On 16 Sep 2006, at 15:39, Andreas Metzler wrote:
Hello, Do you have gnutls-bin installed at all? The only thing causing exim to block on STARTTLS is key and dh-param generation. Both is done offline (/etc/cron.daily/exim4-base invoking /usr/share/exim4/exim4_refresh_gnutls-params which uses certtool).
I noticed that gnutls-bin was "suggested" after the maintainer reply. Since I already have openssl installed, I simply ignored the suggestion. I'm happy the parameters can be generated outside of exim, as this downgrades the severity (somewhat) of the problem.
Upstream quickly tagged as this as "can't be done": I'd say this simply wrong. Everything can be done, provided enough time is given. Generating the keys outside of exim is one solution, and it's already implemented. If exim insists on supporting keys generation in STARTTLS, special handling MUST be implemented to avoid the DoS condition, because generating keys IS supposed to wait indefinitely. IMHO, refusing to generate the keys on-the-fly and emitting a temporary local problem until the keys are ready avoids the race without requiring heavy modifications on the exim side. The other peer can always refuse to initiate the transfer until tls is ready. Until this is fixed, exim supports flawed behavior. This is not debian related however, so I'll manage with upstream directly.
About Debian. Since the race _can_ be avoided (my bad I didn't notice), I'd say that it's a priority to inform users enough. A simple Suggest isn't enough, as proven by the reports already filed.
Maybe examples/exim-gencert in exim4-base should call the cron job in order to generate the keys immediately. README.Debian, instead of suggesting to check /dev/random, should inform that generation of keys in STARTTLS is subject to dossability, and thus, when setting up TLS and generating the certificates, the relative keys should be generated immediately too (this should be enough since README.Debian is referenced in main/03_exim4-config_tlsoptions), mentioning that gnutls-bin is _required_ to perform the task.
Also note that openssl can be used to generate the keys (in fact, I'm using openssl now), which is a problem less.
Maybe the Suggest: can also be raised to a Recommend too. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
