Bug#343085: exim4: Exim SMTP_AUTH hangs since today...
Sven Hartge
sven at svenhartge.de
Mon Jan 30 23:43:19 UTC 2006
Um 23:02 Uhr am 30.01.06 schrieb Florian Weimer:
> Sven Hartge:
>> Um 15:15 Uhr am 30.01.06 schrieb Florian Weimer:
>>> Turns out the patch was broken. This one should be better. The
>>> comments above still apply.
>> Sorry, but I patched and recompiled the exim4-package from Sarge, but
>> any encrypted mail transfer nearly empties the entropy pool.
> Again, this is expected -- I tried to fix the blocking problem, not the
> entropy consumption as such. The entropy consumption is really a
> libgcrypt issue; it does not make much sense to work around it in each
> application individually.
Let me sum up all the pieces to see, if I get everything in the right way.
a) Exim uses GnuTLS in a way, which causes it to use /dev/random to aquire
strictly random bytes on every encrypted connection
b) GnuTLS uses much more random bytes to initialize itself than OpenSSL.
A combination of A and B leads to a possible hole for a DoS attack, if I
am able to drain the entropy pool, because of A, Exim will block until
enough entropy is regathered.
While fixing A is generally a Good Idea (in my opinion), so Exim does not
block if there is no entropy available (because of whatever reason).
But the real winner would be a fix to B so that the entropy pool does not
get drained so fast and would not only benefit Exim but any other program
using GnuTLS.
Is this summary correct so far?
Grüße,
Sven.
--
Sven Hartge -- professioneller Unix-Geek
Meine Gedanken im Netz: http://www.svenhartge.de/
Achtung, neue Mail-Adresse: sven at svenhartge.de
More information about the Pkg-exim4-maintainers
mailing list