[gnutls-dev] Re: ongoing entropy problems
Nikos Mavrogiannopoulos
n.mavrogiannopoulos at gmail.com
Wed Feb 1 13:14:06 CET 2006
On 2/1/06, Simon Josefsson <jas at extundo.com> wrote:
> > 1. Does gnutls use GCRY_VERY_STRONG_RANDOM?
> Yes, in gc_random() which is used by RAND_bytes in
> libextra/gnutls_openssl.c. Otherwise, no, as far as I can see.
Indirectly it is used during key generation. I believe libgcrypt
uses GCRY_VERY_STRONG_RANDOM to generate an RSA key. This
is the reason exim was blocking. It was creating an RSA key per
connection (which is not really needed).
> Is exim using the OpenSSL compatibility interface? Does it invoke
> RAND_bytes?
no, it uses a direct implementation.
> > 2. Does gnutls save the random seed file?
> > gcry_control (GCRYCTL_SET_RANDOM_SEED_FILE, filename);
> > atexit:
> > gcry_control (GCRYCTL_UPDATE_RANDOM_SEED_FILE);
> No. Should it? What should we use as the filename?
I also don't think we should use it. gnutls doesn't need to know about that.
It could be used by exim though because of the way it works.
> > 3. Does the problem only occur for inetd invoked exims?
> I don't know.
It occurs for any way you run exim. The problem is that exim is
forking and then initializing gnutls and everything else after every fork.
As far as I was told, there is no other way to do that. However a fork
happens really often in exim, thus is causes that problem.
More information about the Gnutls-dev
mailing list