I've packaged gnutls 2.3.4 (upstream's current development version) for my own testing, and i see the same behavior described in this ticket using 2.3.4 on a lenny/sid i386 system (see strace and package versions below). So the problem isn't unique to the version in lenny.
I'm afraid I don't know enough about crypto to know why reading from /dev/urandom (a PRNG itself, aiui) would be cryptographically worse than implementing your own internal PRNG and seeding it from /dev/urandom, which seems to be what this bug is suggesting would be better. I'd be happy to learn, though. By comparison, "openssl dhparam" only reads 32 bytes from /dev/urandom for the same task (and uses its own PRNG according to dhparam(1ssl)). Regards, --dkg Here's the openssl run: [0 [EMAIL PROTECTED] ~]$ strace -eread,open openssl dhparam 384 open("/etc/ld.so.cache", O_RDONLY) = 3 open("/usr/lib/i686/cmov/libssl.so.0.9.8", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220\330"..., 512) = 512 open("/usr/lib/i686/cmov/libcrypto.so.0.9.8", O_RDONLY) = 3 read(3, "[EMAIL PROTECTED]"..., 512) = 512 open("/lib/i686/cmov/libdl.so.2", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p\n\0\000"..., 512) = 512 open("/usr/lib/libz.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\30"..., 512) = 512 open("/lib/i686/cmov/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260e\1"..., 512) = 512 open("/usr/lib/ssl/openssl.cnf", O_RDONLY|O_LARGEFILE) = 3 read(3, "#\n# OpenSSL example configuratio"..., 4096) = 4096 read(3, "_name ]\ncountryName\t\t\t= Country "..., 4096) = 4096 read(3, " an SSL server.\n# nsCertType\t\t\t="..., 4096) = 1182 read(3, "", 4096) = 0 open("/proc/meminfo", O_RDONLY) = 3 read(3, "MemTotal: 507980 kB\nMemFre"..., 1024) = 728 open("/home/dkg/.rnd", O_RDONLY) = 3 read(3, "\211\223\35+\244_\343\335v\225\365\340\377=\236\t\"\21"..., 4096) = 1024 read(3, "", 4096) = 0 Generating DH parameters, 384 bit long safe prime, generator 2 This is going to take a long time open("/dev/urandom", O_RDONLY|O_NOCTTY|O_NONBLOCK) = 3 read(3, "\251\240*\3307\270\212\255\240\305>Z\257D_\326go\24\275"..., 32) = 32 ........................................................+....+...+.......+................+..+................+.................+........+......................................................+........................................................................+............................................................................+......+..............+.............+.............+.+......................++*++*++*++*++*++*++*++* open("/home/dkg/.rnd", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 3 -----BEGIN DH PARAMETERS----- MDYCMQClD/cztoER1Yur0rvM0VwnWH1LNjndViK73lB15gZ0JPUqUIEzYqIxwfPx 0fAs+GMCAQI= -----END DH PARAMETERS----- Process 12428 detached [0 [EMAIL PROTECTED] ~]$ dpkg -l $(dlocate $(ldd $(which openssl) | awk '{ print $3 }' | grep ^/) | cut -f1 -d: | sort -u) Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name Version Description +++-==============-==============-============================================ ii libc6-i686 2.7-10 GNU C Library: Shared libraries [i686 optimi ii libssl0.9.8 0.9.8g-8 SSL shared libraries ii zlib1g 1:1.2.3.3.dfsg compression library - runtime [0 [EMAIL PROTECTED] ~]$ And here's the certtool run: [0 [EMAIL PROTECTED] ~]$ strace -eread,open -s12 certtool --generate-dh-params --bits 384 open("/etc/ld.so.cache", O_RDONLY) = 3 open("/usr/lib/libgnutls.so.26", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0"..., 512) = 512 open("/usr/lib/libz.so.1", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0"..., 512) = 512 open("/usr/lib/libtasn1.so.3", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0"..., 512) = 512 open("/usr/lib/libgcrypt.so.11", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0"..., 512) = 512 open("/usr/lib/libgpg-error.so.0", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0"..., 512) = 512 open("/lib/libreadline.so.5", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0"..., 512) = 512 open("/lib/i686/cmov/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0"..., 512) = 512 open("/lib/libncurses.so.5", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0"..., 512) = 512 open("/lib/i686/cmov/libdl.so.2", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0"..., 512) = 512 open("/dev/urandom", O_RDONLY) = 3 read(3, "y\251Az\t*\254"..., 120) = 120 read(3, "<}\265=\345\363"..., 120) = 120 read(3, "\223\325\21(\334"..., 120) = 120 read(3, "\250\316\350V\305"..., 120) = 120 read(3, "#y4\377\306\247"..., 120) = 120 read(3, "\313\337\363C\213"..., 120) = 120 read(3, "\17\324\25\35\344"..., 120) = 120 read(3, "\264N\177f\263"..., 120) = 120 read(3, "WV-\206\241%\246"..., 120) = 120 read(3, "\365\f\273\217"..., 120) = 120 read(3, "\30NA\257\35(\241"..., 120) = 120 read(3, "mo\263\234\213"..., 120) = 120 read(3, "#\312\214)\n\17"..., 120) = 120 read(3, "\34\25\351}\276"..., 120) = 120 read(3, "\322&-\"[EMAIL PROTECTED]"..., 120) = 120 read(3, "\224\235\265\n"..., 120) = 120 read(3, "\357\335\366>&"..., 120) = 120 read(3, "f^z\36\374\324"..., 120) = 120 read(3, " \'>\243\356\207"..., 120) = 120 read(3, "XK\233b\266\024"..., 120) = 120 read(3, "V)\352\217>\226"..., 120) = 120 read(3, "x\310\352\250{"..., 120) = 120 read(3, "\353\371\10Z\330"..., 120) = 120 read(3, "\362\37\255\255"..., 120) = 120 read(3, "2E\242u\376g$\202"..., 120) = 120 Generating DH parameters... Generator: 05 Prime: 91:93:0b:bc:40:ac:a7:bd:69:26:15:f1 13:b6:83:4e:a1:29:30:25:1e:5e:ec:5f fc:be:da:e5:4f:4d:16:8e:78:98:66:73 84:74:44:1a:4c:5c:5e:25:c7:f6:ba:8f -----BEGIN DH PARAMETERS----- MDYCMQCRkwu8QKynvWkmFfETtoNOoSkwJR5e7F/8vtrlT00WjniYZnOEdEQaTFxe Jcf2uo8CAQU= -----END DH PARAMETERS----- Process 11992 detached [0 [EMAIL PROTECTED] ~]$ dpkg -l $(dlocate $(ldd $(which certtool) | awk '{ print $3 }' | grep ^/) | cut -f1 -d: | sort -u) Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name Version Description +++-==============-==============-============================================ ii libc6-i686 2.7-10 GNU C Library: Shared libraries [i686 optimi ii libgcrypt11 1.4.0-3 LGPL Crypto library - runtime library ii libgnutls26 2.3.4-1~dkg2 the GNU TLS library - runtime library ii libgnutls26-db 2.3.4-1~dkg2 GNU TLS library - debugger symbols ii libgpg-error0 1.4-2 library for common error values and messages ii libncurses5 5.6+20080308-1 Shared libraries for terminal handling ii libreadline5 5.2-3 GNU readline and history libraries, run-time ii libtasn1-3 1.3-1 Manage ASN.1 structures (runtime) ii zlib1g 1:1.2.3.3.dfsg compression library - runtime [0 [EMAIL PROTECTED] ~]$
pgpxLygDHUz5m.pgp
Description: PGP signature