[Pkg-exim4-users] Downgrading or removing TLS due to lack of entropy

Sven Hartge sven at svenhartge.de
Sun Jan 29 22:49:35 UTC 2006

Um 15:43 Uhr am 19.01.06 schrieb Marc Haber:

> Additionally, the latest exim4 packages (starting with 4.60-3) allow 
> optionally build with openssl instead of GnuTLS. If you have the 
> possiblity to re-build exim4 locally, this may be an option. I would 
> also be interested in learning whether this actually works better than 
> GnuTLS.

I have been hit by the entropy problem as well, but it was really bad, 
since only some encrypted mails caused a major DoS on my server, since the 
entropie pool was depleted so fast (in fact, just _one_ mail was needed 
for the pool to go from 3500 to about 120), the kernel was not able to 
refill it fast enough.

After recompiling exim with OpenSSL, this problem went away.

So in my opinion, the is definitely something wrong with gnutls as it uses 
_way_ to much entropie from the pool as compared to openssl.


Sven Hartge -- professioneller Unix-Geek
Meine Gedanken im Netz: http://www.svenhartge.de/

Achtung, neue Mail-Adresse: sven at svenhartge.de

More information about the Pkg-exim4-users mailing list