Bug#387448: empty entropy pool leads to DOS

[Marc Haber]

On Sun, Sep 17, 2006 at 05:26:04PM +0200, Yuri D'Elia wrote:
> On 16 Sep 2006, at 23:48, Marc Haber wrote:
> >>Upstream quickly tagged as this as "can't be done": I'd say this
> >>simply wrong. Everything can be done, provided enough time is given.
> >
> >Do you really think that it should be exim's job to re-implement a
> >good part of a TLS library? Please take this up with upstream or the
> >tech ctte.
> 
> This is not what I meant. I clearly don't want to touch and library  
> code.

exim upstream has just said that it is impossible to avoid blocking
from within exim as the gnutls calls themselves block.

>  My point is that this behavior
>  in Exim is broken, and tagging it as "won'tfix" is not admitting it
>  is.

Please discuss this with upstream.

> >I'd rather invoke a key generation process in the background from the
> >init script if dh parameters are not present.
> 
> If you can you check if exim has TLS enabled, looks fine.

Yes, we can check that. I have build that intelligence into the script
and have also refactored the code in a way that it allows
exim4_refresh_gnutls-params to be called any time.

> >Please send a patch. Please notice that i reserve the right to change
> >your words while applying the patch.
> 
> I'm not native english speaker, so I did my best.

Thanks. I will commit some changes to the docs, but am not going to
make it sound like using the gnutls-bin/openssl based approach is
mandatory.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835