Bug#338319: proposed solutions
Florian Weimer
fw at deneb.enyo.de
Fri Oct 26 20:20:19 UTC 2007
* Nikos Mavrogiannopoulos:
> 2. Generate the parameters in a non-blocking way using /dev/urandom.
> (sol2.patch)
Huh? At least at one point in the past, GNUTLS used /dev/urandom for DH
parameters. Has this changed?
> I believe the third solution is the most elegant. Generating these parameters
> on the fly (sol2) even if /dev/urandom is used is time consuming and not
> really appropriate for a server. The idea is to have them pregenerated.
The main problem is that there is no lock on the file while it is
generated, and that a lot of work is wasted by parallel computation.
Constant DH parameters have been refused by Debian's security pundits.
More information about the Pkg-exim4-maintainers
mailing list