Bug#285371: Still a problem.

Yazz D. Atlas "Yazz D. Atlas" <yazz@230volts.net>, 285371@bugs.debian.org
Mon, 20 Dec 2004 19:49:47 -0800


Marc Haber wrote:
> Does the system have a local disk?

Yes, I have a Mylex eXtremeRAID 2000 PCI RAID Revision: 0600 in this system.

> If your hardware is sufficiently recent, it might have a hardware rng,
> which needs to be coupled to /dev/random by some means, for example
> the rngd daemon from the Debian package rng-tools.

Sorry the hardware is about 2 or 3 yrs old now. Duel Pentium III 
(Coppermine) 1 Ghz.  So I there is no chance of that.

> I am inclined to close this bug, as it is really a local resource
> issue. I think it is a good idea that gnutls tries to get its entropy
> for key generation from /dev/random which blocks if no more entropy is
> available.

Close the ticket if you want. I just found a work-around for my system.

I down graded my kernel to 2.4.27-1-686-smp. This fixed my problem.

#  sysctl -n kernel/random/entropy_avail
4096
# time su Debian-exim -s '/bin/sh' -c "./exim_gnutls-params -v 
--indefinitely /var/spool/exim4"
generating 512 bit RSA key...
generating 768 bit Diffie-Hellman key...
wrote RSA and D-H parameters to file /var/spool/exim4/gnutls-params

real    0m0.955s
user    0m0.910s
sys     0m0.000s


Now does this mean the 2.6.9-1-686-smp is my problem? Humm... maybe this 
  bug should be moved over to a kernel bug somewhere. Or opened with the 
gnutls folks. Whats your feeling?

> It can be discussed with the gnutls people whether gnutls should have
> a timeout, leaving the decision whether to continue waiting for
> entropy to the application. However, providing a sufficient amount of
> entropy is probably the job of the local sysadmin.

I think it is important for gnutls to timeout at some point since 
currently the way it was handling the lack of /dev/random entropy 
created a DoS. Mail servers connecting securely would stay connected and 
not leave. Eventually all smtp connections to my mail server were 
waiting for gnutls. There was no log info to explain what was going. 
Logging that I had too many connections was true but did not explain 
why. Only by doing a strace did it really show itself as a gnutls issue.

As for having enought entropy I just wish I had direct access to the 
system myself. Its at my co-lo which does very little if any hands on ( 
aka my friends basement over 600 miles away ). Trying to get him to 
connect a keyboard and bang randomly on it would have be something.

> Andreas, I'd like to downgrade this bug to wishlist and mark it
> wontfix, if you don't object.
> 
> Greetings
> Marc
> 

Thanks for all the help Andreas!