On Sat, Sep 16, 2006 at 06:09:35PM +0200, Yuri D'Elia wrote: > On 16 Sep 2006, at 15:39, Andreas Metzler wrote: > >The only thing causing exim to block on STARTTLS is key and dh-param > >generation. Both is done offline (/etc/cron.daily/exim4-base invoking > >/usr/share/exim4/exim4_refresh_gnutls-params which uses certtool). > > I noticed that gnutls-bin was "suggested" after the maintainer reply. > Since I already have openssl installed, I simply ignored the > suggestion. I'm happy the parameters can be generated outside of > exim, as this downgrades the severity (somewhat) of the problem.
It is now more clearly documented. > Upstream quickly tagged as this as "can't be done": I'd say this > simply wrong. Everything can be done, provided enough time is given. Do you really think that it should be exim's job to re-implement a good part of a TLS library? Please take this up with upstream or the tech ctte. > About Debian. Since the race _can_ be avoided (my bad I didn't > notice), I'd say that it's a priority to inform users enough. A > simple Suggest isn't enough, as proven by the reports already filed. What should we do? > Maybe examples/exim-gencert in exim4-base should call the cron job in > order to generate the keys immediately. I'd rather invoke a key generation process in the background from the init script if dh parameters are not present. > README.Debian, instead of suggesting to check /dev/random, should > inform that generation of keys in STARTTLS is subject to dossability, > and thus, when setting up TLS and generating the certificates, the > relative keys should be generated immediately too (this should be > enough since README.Debian is referenced in > main/03_exim4-config_tlsoptions), mentioning that gnutls-bin is > _required_ to perform the task. Please send a patch. Please notice that i reserve the right to change your words while applying the patch. > Also note that openssl can be used to generate the keys (in fact, I'm > using openssl now), which is a problem less. Please send a patch. > Maybe the Suggest: can also be raised to a Recommend too. I think that Suggests: is appopriate, as of Policy 7.2. If you disagree, please take this to the tech ctte. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]