Bug#338319: proposed solutions
Nikos Mavrogiannopoulos
n.mavrogiannopoulos at gmail.com
Fri Oct 26 21:41:09 UTC 2007
On Friday 26 October 2007, Florian Weimer wrote:
> * Nikos Mavrogiannopoulos:
> > 2. Generate the parameters in a non-blocking way using /dev/urandom.
> > (sol2.patch)
>
> Huh? At least at one point in the past, GNUTLS used /dev/urandom for DH
> parameters. Has this changed?
Indeed. When I added this solution I thought RSA parameters were still
generated in exim4. This is not true thought.
> > I believe the third solution is the most elegant. Generating these
> > parameters on the fly (sol2) even if /dev/urandom is used is time
> > consuming and not really appropriate for a server. The idea is to have
> > them pregenerated.
> The main problem is that there is no lock on the file while it is
> generated, and that a lot of work is wasted by parallel computation.
> Constant DH parameters have been refused by Debian's security pundits.
I don't believe there is nothing wrong with static parameters as long as they
are long enough. SRP uses a set of static parameters anyway.
regards,
Nikos
More information about the Pkg-exim4-maintainers
mailing list