[gnutls-dev] Re: gnutls_rsa_params_init hangs. Is regenerating
rsa-params once a day to frequent?
Simon Josefsson
jas at extundo.com
Tue Dec 14 16:09:21 CET 2004
Andreas Metzler <ametzler at downhill.at.eu.org> writes:
> Hello,
Hi.
> exim4 uses gnutls for TLS/SSL and we (on Debian) have chosen to
> configure it to regenerate rsa and dh params once a day. However
> promptly after this change we received a bug-report[1] telling us that
> exim just hang. Further analysis showed that
>
> gnutls_rsa_params_generate2(rsa_params, 512);
>
> got stuck on his system, waiting indefinitely for new data to appear
> in /dev/random.
>
> I am a little bit at loss on how to deal with this. Is "once a day"
> too frequent as a default value?
I don't think so.
> Can (Should) gnutls_rsa_params_generate2 deal more gracefully with
> systems with little data in /dev/random (by using urandom after a
> timeout or supporting alternative entropy gathering devices?)
Yes, ideally. This was suggested recently, and as a consequence TODO
now reads:
- Add progress handler gnutls_{dh,rsa}_params_generate2, to allow
application to give progress feedback to user.
- Support non-blocking gnutls_{dh,rsa}_params_generate2 for when there
is not enough entropy available.
If someone wants to work on this, that would be useful...
> Is exim faulty for running gnutls_rsa_params_generate2 while handling
> an incoming connection? (Not faulty as in in "not optimal" but as in
> "the stupiest idea I've ever heard of, everybody using gnutls seriously
> knows that you put running gnutls_rsa_params_generate2 in a separate
> little thread/program")
I wouldn't say faulty, but as you suggest, it may be sub-optimal. You
could have a stand-alone program that generate dh/rsa parameters, save
the data to a file and ask the main process to re-load its data. Or
use a separate thread.
I suspect the manual should discuss this problem.
Thanks,
Simon
More information about the Gnutls-dev
mailing list