On Sat, Oct 07, 2006 at 06:55:09PM -0400, Ben Collins wrote: > On Sat, 2006-10-07 at 18:51 +0200, Marc Haber wrote: > > Frankly, I don't see a gain in generating the dh_parameters on package > > installation or from the init script. Am I missing something? > > The benefit is that during installation, people expect things to be > down. When it's installed, people don't expect their smtp server to > start timing because of lack of entropy.
With gnutls-bin or openssl installed, dh-params are generated asynchronously, so the only time where no dh-params are available is right after installation. > If I installed the package, and it asked for entropy then (or did > it when exim first started up) then you know there's a delay, and you > know why, and it gives you the opportunity to create this entropy > without worrying about things like an smtp connection timing out. > > The bad thing about it happening when first connection occurs is that if > the smtp connection times out, all of that entropy it got already is > thrown away. The next connection starts the process again, most likely > with zero entropy at that point. If an exim starts creating its own dh-params while the first asynchronous dh-param generation is already running, you have multiple processes competing over the precious entropy while both are trying to accomplish the same. > You should not have to jigger a setup like this. Agreed, but I don't see an acceptable fix at the moment. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]