[gnutls-dev] Feature request: not really random session keys

[Nikos Mavrogiannopoulos]

On 1/30/06, Florian Weimer <fw at deneb.enyo.de> wrote:

> > As far as I remember it was saving it to a file to eliminate the need
> > for regeneration every time. Isn't this the case any more?
> It does, but when it's not there (or outdated, apparently), every
> delivery process which needs it tries to regenerate it in parallel.
> If you have a busy mail server, this is quite noticeable.  (It doesn't
> matter if you only process a few thousand messages per day.)

Hmmm then it's a problem... the process shouldn't check if it is outdated or not
(or could check but in that case disable the corresponding ciphersuites, instead
of generating the key). The easier way to fix that is to generate the
RSA key and
the DH parameters by other means --say certtool running on the bg once
per day or something like that.