[Pkg-gnutls-maint] Mesos-TT#4134222 Re: Maintainer: crywrap/libgnutls
Simon Josefsson
simon at josefsson.org
Tue May 27 15:50:46 UTC 2008
rd at mesos.de writes:
>> Note that libgcrypt (which gnutls uses) never reads from /dev/random
>> unless you are generating private keys. If you are using just normal
>> TLS sessions, it should only read from /dev/urandom. What exactly is
>> crywrap doing when it stalls?
>
> At that moment crywrap is only starting. It should just bind to port
> 993 and wait there for new connections.
Hm. I just read the crywrap source code. It is generating RSA/DH
parameters in the process, which is a bad idea.
First, temporary RSA parameter are only need for weak export-grade RSA
mode. Do you really want to support this?
Secondly, DH parameters need only be generated once, and you could store
them in a file. Servers shouldn't generate them on-the-fly.
This is similar to what exim did earlier, which I think has been fixed
now. I suspect some old gnutls example is responsible for making
implement this, but I can't find this example in the modern
distribution.
It would be useful to understand why the crywrap designers uses gnutls
in this way. Did they copy their code from someone?
/Simon
More information about the Pkg-gnutls-maint
mailing list