[gnutls-dev] Re: Feature request: not really random session keys
Simon Josefsson
jas at extundo.com
Mon Jan 30 15:13:48 CET 2006
Florian Weimer <fw at deneb.enyo.de> writes:
> * Werner Koch:
>
>> The same may happen with libgcrypt applications if several short
>> living processes are running (Exim?). I am not sure whether GnuTLS
>> sets a random seed file at all. Does it?
>
> In case of Exim, it's regeneration of the RSA_EXPORT key. It is not
> serialized, either, so multiple Exim processes try to regenerate it
> and consume increasing amounts of entropy.
I recall the same problem in some other application. The solution was
to have a separate process devoted to regenerate the keys, store it to
a file, and have the other processes use it. This circumvent the
synchronization problem, which can be quite complicated, and also
guarantee that the Exim process will never block on /dev/random. The
process that regenerate the keys can be invoked through cron.
More information about the Gnutls-dev
mailing list