[gnutls-dev] Re: gnutls_rsa_params_init hangs. Is regenerating rsa-params once a day to frequent?

Simon Josefsson jas at extundo.com
Tue Dec 14 16:09:21 CET 2004


Andreas Metzler <ametzler at downhill.at.eu.org> writes:

> Hello,

Hi.

> exim4 uses gnutls for TLS/SSL and we (on Debian) have chosen to
> configure it to regenerate rsa and dh params once a day. However
> promptly after this change we received a bug-report[1] telling us that
> exim just hang. Further analysis showed that
>
> gnutls_rsa_params_generate2(rsa_params, 512);
>
> got stuck on his system, waiting indefinitely for new data to appear
> in /dev/random.
>
> I am a little bit at loss on how to deal with this. Is "once a day"
> too frequent as a default value?

I don't think so.

> Can (Should) gnutls_rsa_params_generate2 deal more gracefully with
> systems with little data in /dev/random (by using urandom after a
> timeout or supporting alternative entropy gathering devices?)

Yes, ideally.  This was suggested recently, and as a consequence TODO
now reads:

- Add progress handler gnutls_{dh,rsa}_params_generate2, to allow
  application to give progress feedback to user.
- Support non-blocking gnutls_{dh,rsa}_params_generate2 for when there
  is not enough entropy available.

If someone wants to work on this, that would be useful...

> Is exim faulty for running gnutls_rsa_params_generate2 while handling
> an incoming connection? (Not faulty as in in "not optimal" but as in
> "the stupiest idea I've ever heard of, everybody using gnutls seriously
> knows that you put running gnutls_rsa_params_generate2 in a separate
> little thread/program")

I wouldn't say faulty, but as you suggest, it may be sub-optimal.  You
could have a stand-alone program that generate dh/rsa parameters, save
the data to a file and ask the main process to re-load its data.  Or
use a separate thread.

I suspect the manual should discuss this problem.

Thanks,
Simon




More information about the Gnutls-dev mailing list