Jeremiah Foster <[EMAIL PROTECTED]> writes: > Hello! > > I have been lurking on this list a bit and would like to pose the > following question. Is the TLS entropy bug in debian solved? > > To be specific, there was an issue with exim hanging when TLS could not > find enough entropy to create a secure connection. This caused problems, > but mostly with older kernels. I had been stuck on just such a machine > and complained to the exim package maintainers at debian who stated that > they needed help with GNUTLS but they were having trouble finding > someone with the knowledge required. > > That bug appears to be active, or maybe it should be called a "known > issue," as that is what the debian people call it. Here is a link to the > description of the issue, > > http://wiki.debian.org/PkgExim4KnownBugsInSarge > > My understanding is that GnuTLS does not generate enough entropy to > satisfy exim's requirements. Can this issue be addressed?
I'd love to help on this, but IIRC, the earlier reports were so vague that there wasn't much to work on. One problem was generation of DH or RSA parameters, but the proper solution to that is to generate it in an external process in a cron job every day or similar. Then an exhausted entropy pool shouldn't hang exim. If an exhausted entropy pool really is the problem, then using better /dev/*random devices in Linux is the proper solution. I think it has been established that the current Linux /dev/*random devices are very inefficient and have security problems. There are better alternatives out there too, maybe Debian could try them. However, I'm not sure this is actually the origin of the problems. Measuring the amount of entropy required for every TLS session in exim might be interesting. In any case, that entropy should come from /dev/urandom and not cause hangs. /Simon _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
