Um 21:33 Uhr am 17.02.06 schrieb Jürgen Herz: > Sven Hartge wrote: >>> Exim advertises STARTTLS in the EHLO response but upon sending the >>> STARTTLS command, nothing happens, it looks some client input is >>> expected. Not if connected via client nor by hand (telnet). >> You should see a "220 TLS go ahead" if you use telnet to debug. >> >> My guess: Your server is out of entropy (check >> /proc/sys/kernel/random/entropy_avail, it should be >2000) and exim is >> still calculating its dh_params and session key. > Yesterday before posting I already read a hint on the web regarding > entropy_avail. When I checked this, it was 5 - but I thought it's ok > since it's not null.
This means "5 bits of entropy left". gnutls uses vast amounts of entropy (compared to openssl), so it drains the entropy pool very quick. > Yesterday, long after I mailed my post, I finally noticed errors on the > TLS connections showing up in the logs (about 3 hours after telnetting > and killing telnet after waiting a few minutes for response). > > Today I just tested STARTTLS again and instantly got the expected 220. > And indeed, today entropy_vail was 1184 when started. But this value is > quite inconsistent and mostly is around 5. exim-4.50 has a little "bug" in its gnutls-code, which causes it to use the blocking /dev/random on SSL connections. Florian Weimer made a patch, which resolves this issue for 4.50. If you can, upgrade to at least 4.54, better yet 4.60. If you use Debian, use the packages from backports.org. > Now I'm quite puzzled, but after some searches it looks like a common > problem. ldd says exim4 is linked against libgnutls.so.11 as well as > libssl.so.0.9.7. Does this mean I can choose at runtime which lib to use? This is weird. Please post your ldd output. S° -- Sven Hartge -- professioneller Unix-Geek Meine Gedanken im Netz: http://www.svenhartge.de/ Achtung, neue Mail-Adresse: [EMAIL PROTECTED] -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
