[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [gnutls-dev] Re: ongoing entropy problems
From: |
Nikos Mavrogiannopoulos |
Subject: |
Re: [gnutls-dev] Re: ongoing entropy problems |
Date: |
Wed, 1 Feb 2006 13:14:06 +0100 |
On 2/1/06, Simon Josefsson <address@hidden> wrote:
> > 1. Does gnutls use GCRY_VERY_STRONG_RANDOM?
> Yes, in gc_random() which is used by RAND_bytes in
> libextra/gnutls_openssl.c. Otherwise, no, as far as I can see.
Indirectly it is used during key generation. I believe libgcrypt
uses GCRY_VERY_STRONG_RANDOM to generate an RSA key. This
is the reason exim was blocking. It was creating an RSA key per
connection (which is not really needed).
> Is exim using the OpenSSL compatibility interface? Does it invoke
> RAND_bytes?
no, it uses a direct implementation.
> > 2. Does gnutls save the random seed file?
> > gcry_control (GCRYCTL_SET_RANDOM_SEED_FILE, filename);
> > atexit:
> > gcry_control (GCRYCTL_UPDATE_RANDOM_SEED_FILE);
> No. Should it? What should we use as the filename?
I also don't think we should use it. gnutls doesn't need to know about that.
It could be used by exim though because of the way it works.
> > 3. Does the problem only occur for inetd invoked exims?
> I don't know.
It occurs for any way you run exim. The problem is that exim is
forking and then initializing gnutls and everything else after every fork.
As far as I was told, there is no other way to do that. However a fork
happens really often in exim, thus is causes that problem.