Bug#387448: empty entropy pool leads to DOS
Yuri D'Elia
wavexx at yuv.info
Sun Sep 17 15:26:04 UTC 2006
On 16 Sep 2006, at 23:48, Marc Haber wrote:
>> Upstream quickly tagged as this as "can't be done": I'd say this
>> simply wrong. Everything can be done, provided enough time is given.
>
> Do you really think that it should be exim's job to re-implement a
> good part of a TLS library? Please take this up with upstream or the
> tech ctte.
This is not what I meant. I clearly don't want to touch and library
code. I can imagine forking a secondary process to generate the keys
upon startup, a thread if GnuTLS is thread safe, or whatever. I'm
perfectly fine with the cron solution. My point is that this behavior
in Exim is broken, and tagging it as "won'tfix" is not admitting it is.
> I'd rather invoke a key generation process in the background from the
> init script if dh parameters are not present.
If you can you check if exim has TLS enabled, looks fine.
> Please send a patch. Please notice that i reserve the right to change
> your words while applying the patch.
I'm not native english speaker, so I did my best.
>> Maybe the Suggest: can also be raised to a Recommend too.
>
> I think that Suggests: is appopriate, as of Policy 7.2. If you
> disagree, please take this to the tech ctte.
Ok. If you plan to incorporate the use of openssl in cron.daily/exim4-
base, change this to a gnutls-bin | openssl then.
Patches attached.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: exim4-base.patch
Type: application/octet-stream
Size: 4503 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20060917/e0f3e768/exim4-base.obj
-------------- next part --------------
More information about the Pkg-exim4-maintainers
mailing list