[Pkg-gnutls-maint] Re: not draining entrophy is a good thing
Simon Josefsson
jas at extundo.com
Mon Oct 16 19:52:30 UTC 2006
"Anand Kumria" <wildfire at progsoc.org> writes:
> Hi,
>
> I've also stumbled over this problem in the past few days.
>
> The simplest fix, that should stop exim4 from blocking is to make
> gnutls-bin a Depend rather than a Suggest. This would make the
> re-generation of dh_params less likely to block the system from
> continuing.
>
> However that only alleviates the first problem. It would be useful if
> the severity of bug#347210 was important.
>
> As noted a by number of other people, a build of exim4 with openssl
> does not suffer from entrophy exhaustion so quickly. It is isn't clear
> to me why gnutls (via libgcrypt as I understand it) is depleting the
> pool so rapidly.
Hi. It doesn't seem clear to anyone. :-(
> Users can basically exhaust entrophy on my servers just by sending a
> large (2MiB) email, which causes them pain because mail (delivery,
> submission, etc.) is held up until enough activity has occurred to
> generate further entrophy.
That would be very strange! If true, it suggests that randomness is
required not only during handshake (which is to be expected, although
it is supposed to only use /dev/urandom), but during normal
encryption.
If someone can describe a simple way to reproduce this, I can try to
debug it, but so far it doesn't seem to happen in simple
configurations, and nobody has described the details when this
happens.
/Simon
More information about the Pkg-gnutls-maint
mailing list