[Help-gnutls] Re: Previous bug in Debian regarding entropy Gnu-TLS, Exim-4.60, 2.4 kernel

Florian Weimer fweimer at bfk.de
Wed Jul 12 12:51:15 CEST 2006

* Nikos Mavrogiannopoulos:

>> I would be surprised if RSA_EXPORT support is needed at all.  I don't
>> see it in my mail server logs, and don't you need a special server
>> certificate to enable it anyway?
> The only requirement is for the server certificate to be able to be used 
> for signing.

I don't think this is correct; the certificate issuer must come from
certain well-known CAs which allow upgrading to a better security
level.  If you don't need interoperability with crippled clients,
you'd use RSA instead of RSA_EXPORT in the first place.

> Indeed. But in the versions of linux used, they depleted the same pool, 
> thus again /dev/random was blocked.

But on a typical GNU/Linux system, no periodic tasks read from
/dev/random, so it doesn't matter if the pool has been depleted or
not.  And the process which generates the key parameters for Exim
would not block, either.

Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Durlacher Allee 47            tel: +49-721-96201-1
D-76131 Karlsruhe             fax: +49-721-96201-99

More information about the Gnutls-help mailing list