On Thu, 2006-07-06 at 15:37 +0200, Simon Josefsson wrote: > Jeremiah Foster <[EMAIL PROTECTED]> writes:
> > To be specific, there was an issue with exim hanging when TLS could not > > find enough entropy to create a secure connection. This caused problems, > > but mostly with older kernels. I had been stuck on just such a machine > > and complained to the exim package maintainers at debian who stated that > > they needed help with GNUTLS but they were having trouble finding > > someone with the knowledge required. > > > > That bug appears to be active, or maybe it should be called a "known > > issue," as that is what the debian people call it. Here is a link to the > > description of the issue, > > > > http://wiki.debian.org/PkgExim4KnownBugsInSarge > > > > My understanding is that GnuTLS does not generate enough entropy to > > satisfy exim's requirements. Can this issue be addressed? > > I'd love to help on this, but IIRC, the earlier reports were so vague > that there wasn't much to work on. > > One problem was generation of DH or RSA parameters, but the proper > solution to that is to generate it in an external process in a cron > job every day or similar. Then an exhausted entropy pool shouldn't > hang exim. > > If an exhausted entropy pool really is the problem, then using better > /dev/*random devices in Linux is the proper solution. I think it has > been established that the current Linux /dev/*random devices are very > inefficient and have security problems. There are better alternatives > out there too, maybe Debian could try them. However, I'm not sure > this is actually the origin of the problems. I think there is a cron shell script fix provided on the debian exim web site, and I have heard that /dev/urandom is somewhat more secure on linux than /dev/random, but that the security and efficiency issues are as you say, that is problematic. > Measuring the amount of entropy required for every TLS session in exim > might be interesting. In any case, that entropy should come from > /dev/urandom and not cause hangs. A bit over my head unfortunately, but I will post this suggestion to the debian-exim mailing list when the issues comes up again. Thanks! Jeremiah _______________________________________________ Help-gnutls mailing list Help-gnutls@gnu.org http://lists.gnu.org/mailman/listinfo/help-gnutls