Bug#387448: empty entropy pool leads to DOS
Marc Haber
mh+debian-packages at zugschlus.de
Thu Sep 14 14:03:04 UTC 2006
reassign #387448 exim4-daemon-light,exim4-daemon-heavy
tags #387448 confirmed upstream help
user exim4 at packages.debian.org
usertags #387448 gnutls
forwarded #387448 http://www.exim.org/bugzilla/show_bug.cgi?id=390
thanks
On Thu, Sep 14, 2006 at 02:57:38PM +0200, Yuri D'Elia wrote:
> I know this has been reported before to death [since gnutls is being used],
> but I will just add another twist, since I'm tired of rebuilding exim with
> OpenSSL manually.
>
> GnuTLS drains the entropy pool much more quickly than OpenSSL. On server
> systems without hardware generators, /dev/random drains very quickly, meaning
> that exim will often block. But exim should NOT block, or even wait, in
> STARTTLS.
As far as I know, exim blocks if no dh-parameters are available. The
package regenerates the dh-parameters from outside exim if the
gnutls-bin package is installed. exim4-base suggests gnutls-bin for
this reason.
> This is a bug in exim. exim should NOT block in STARTTLS. keys must be
> generated in background or by other means,
This is already been done.
> and the unavailability of data at STARTTLS should generate and
> immediate temporary failure to avoid other DOS conditions.
Forwarded upstream.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
More information about the Pkg-exim4-maintainers
mailing list