Bug#387448: empty entropy pool leads to DOS
Marc Haber
mh+debian-packages at zugschlus.de
Sat Sep 16 21:48:27 UTC 2006
On Sat, Sep 16, 2006 at 06:09:35PM +0200, Yuri D'Elia wrote:
> On 16 Sep 2006, at 15:39, Andreas Metzler wrote:
> >The only thing causing exim to block on STARTTLS is key and dh-param
> >generation. Both is done offline (/etc/cron.daily/exim4-base invoking
> >/usr/share/exim4/exim4_refresh_gnutls-params which uses certtool).
>
> I noticed that gnutls-bin was "suggested" after the maintainer reply.
> Since I already have openssl installed, I simply ignored the
> suggestion. I'm happy the parameters can be generated outside of
> exim, as this downgrades the severity (somewhat) of the problem.
It is now more clearly documented.
> Upstream quickly tagged as this as "can't be done": I'd say this
> simply wrong. Everything can be done, provided enough time is given.
Do you really think that it should be exim's job to re-implement a
good part of a TLS library? Please take this up with upstream or the
tech ctte.
> About Debian. Since the race _can_ be avoided (my bad I didn't
> notice), I'd say that it's a priority to inform users enough. A
> simple Suggest isn't enough, as proven by the reports already filed.
What should we do?
> Maybe examples/exim-gencert in exim4-base should call the cron job in
> order to generate the keys immediately.
I'd rather invoke a key generation process in the background from the
init script if dh parameters are not present.
> README.Debian, instead of suggesting to check /dev/random, should
> inform that generation of keys in STARTTLS is subject to dossability,
> and thus, when setting up TLS and generating the certificates, the
> relative keys should be generated immediately too (this should be
> enough since README.Debian is referenced in
> main/03_exim4-config_tlsoptions), mentioning that gnutls-bin is
> _required_ to perform the task.
Please send a patch. Please notice that i reserve the right to change
your words while applying the patch.
> Also note that openssl can be used to generate the keys (in fact, I'm
> using openssl now), which is a problem less.
Please send a patch.
> Maybe the Suggest: can also be raised to a Recommend too.
I think that Suggests: is appopriate, as of Policy 7.2. If you
disagree, please take this to the tech ctte.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
More information about the Pkg-exim4-maintainers
mailing list