Bug#387448: empty entropy pool leads to DOS
Andreas Metzler
ametzler at downhill.at.eu.org
Sat Sep 16 13:39:28 UTC 2006
On 2006-09-14 Yuri D'Elia <wavexx at yuv.info> wrote:
> Package: exim4
> Version: 4.63-3
> Severity: important
> I know this has been reported before to death [since gnutls is being used],
> but I will just add another twist, since I'm tired of rebuilding exim with
> OpenSSL manually.
> GnuTLS drains the entropy pool much more quickly than OpenSSL. On server
> systems without hardware generators, /dev/random drains very quickly, meaning
> that exim will often block. But exim should NOT block, or even wait, in
> STARTTLS. It is possible to make the system drain its entropy and then issue
> several connections all waiting in STARTTLS, until the maximal number of
> connection is reached. Combine this with the fact that it is possible to
> maintain the connection alive for eternity with a SO_KEEPALIVE connection, and
> also exim doesn't seem to terminate the process when the connection is closed
> in this state, and you get very easy denial of service which will refuse all
> further (including normal) connections.
> This is a bug in exim. exim should NOT block in STARTTLS. keys must be
> generated in background or by other means, and the unavailability of data at
> STARTTLS should generate and immediate temporary failure to avoid other DOS
> conditions.
Hello,
Do you have gnutls-bin installed at all?
The only thing causing exim to block on STARTTLS is key and dh-param
generation. Both is done offline (/etc/cron.daily/exim4-base invoking
/usr/share/exim4/exim4_refresh_gnutls-params which uses certtool).
Normal STARTTLS connection does not block, as it only reads from
/dev/urandom.
--------------
ametzler at argenau:/tmp$ cat /proc/sys/kernel/random/entropy_avail ; for i in 1 2 3 4 ; do swaks -tls --silent -s localhost -q ehlo ; cat /proc/sys/kernel/random/entropy_avail ; done
3953
1
1
1
1
--------------
--------------
argenau:/tmp/GNUTLS11# strace -v -f -s 164 -eopen -p 2455
Process 2455 attached - interrupt to quit
Process 12999 attached
[pid 12999] open("/etc/hosts", O_RDONLY) = 3
[pid 12999] open("/etc/hosts", O_RDONLY) = 3
[pid 12999] open("/var/spool/exim4/gnutls-params", O_RDONLY|O_LARGEFILE) = 3
[pid 12999] open("/etc/exim4/exim.key", O_RDONLY) = 3
[pid 12999] open("/etc/exim4/exim.crt", O_RDONLY) = 3
[pid 12999] open("/dev/urandom", O_RDONLY) = 3
Process 12999 detached
--- SIGCHLD (Child exited) @ 0 (0) ---
Process 13003 attached
[pid 13003] open("/etc/hosts", O_RDONLY) = 3
[pid 13003] open("/etc/hosts", O_RDONLY) = 3
[pid 13003] open("/var/spool/exim4/gnutls-params", O_RDONLY|O_LARGEFILE) = 3
[pid 13003] open("/etc/exim4/exim.key", O_RDONLY) = 3
[pid 13003] open("/etc/exim4/exim.crt", O_RDONLY) = 3
[pid 13003] open("/dev/urandom", O_RDONLY) = 3
Process 13003 detached
--- SIGCHLD (Child exited) @ 0 (0) ---
Process 13007 attached
[pid 13007] open("/etc/hosts", O_RDONLY) = 3
[pid 13007] open("/etc/hosts", O_RDONLY) = 3
[pid 13007] open("/var/spool/exim4/gnutls-params", O_RDONLY|O_LARGEFILE) = 3
[pid 13007] open("/etc/exim4/exim.key", O_RDONLY) = 3
[pid 13007] open("/etc/exim4/exim.crt", O_RDONLY) = 3
[pid 13007] open("/dev/urandom", O_RDONLY) = 3
Process 13007 detached
--- SIGCHLD (Child exited) @ 0 (0) ---
Process 13011 attached
[pid 13011] open("/etc/hosts", O_RDONLY) = 3
[pid 13011] open("/etc/hosts", O_RDONLY) = 3
[pid 13011] open("/var/spool/exim4/gnutls-params", O_RDONLY|O_LARGEFILE) = 3
[pid 13011] open("/etc/exim4/exim.key", O_RDONLY) = 3
[pid 13011] open("/etc/exim4/exim.crt", O_RDONLY) = 3
[pid 13011] open("/dev/urandom", O_RDONLY) = 3
Process 13011 detached
--- SIGCHLD (Child exited) @ 0 (0) ---
--------------
cu andreas
--
The 'Galactic Cleaning' policy undertaken by Emperor Zhark is a personal
vision of the emperor's, and its inclusion in this work does not constitute
tacit approval by the author or the publisher for any such projects,
howsoever undertaken. (c) Jasper Ffforde
More information about the Pkg-exim4-maintainers
mailing list