[Help-gnutls] Re: Previous bug in Debian regarding entropy Gnu-TLS, Exim-4.60, 2.4 kernel

Jeremiah Foster jeremiah.foster at theclickstore.se
Thu Jul 6 16:16:10 CEST 2006


On Thu, 2006-07-06 at 15:37 +0200, Simon Josefsson wrote:
> Jeremiah Foster <jeremiah.foster at theclickstore.se> writes:

> > To be specific, there was an issue with exim hanging when TLS could not
> > find enough entropy to create a secure connection. This caused problems,
> > but mostly with older kernels. I had been stuck on just such a machine
> > and complained to the exim package maintainers at debian who stated that
> > they needed help with GNUTLS but they were having trouble finding
> > someone with the knowledge required. 
> >
> > That bug appears to be active, or maybe it should be called a "known
> > issue," as that is what the debian people call it. Here is a link to the
> > description of the issue,
> >
> >  http://wiki.debian.org/PkgExim4KnownBugsInSarge
> >
> > My understanding is that GnuTLS does not generate enough entropy to
> > satisfy exim's requirements. Can this issue be addressed?
> 
> I'd love to help on this, but IIRC, the earlier reports were so vague
> that there wasn't much to work on.
> 
> One problem was generation of DH or RSA parameters, but the proper
> solution to that is to generate it in an external process in a cron
> job every day or similar.  Then an exhausted entropy pool shouldn't
> hang exim.
> 
> If an exhausted entropy pool really is the problem, then using better
> /dev/*random devices in Linux is the proper solution.  I think it has
> been established that the current Linux /dev/*random devices are very
> inefficient and have security problems.  There are better alternatives
> out there too, maybe Debian could try them.  However, I'm not sure
> this is actually the origin of the problems.

I think there is a cron shell script fix provided on the debian exim web
site, and I have heard that /dev/urandom is somewhat more secure on
linux than /dev/random, but that the security and efficiency issues are
as you say, that is problematic.

> Measuring the amount of entropy required for every TLS session in exim
> might be interesting.  In any case, that entropy should come from
> /dev/urandom and not cause hangs.

A bit over my head unfortunately, but I will post this suggestion to the
debian-exim mailing list when the issues comes up again. 

Thanks!

Jeremiah






More information about the Gnutls-help mailing list