Debian Bug report logs - #338319
incoming connections timing out after STARTTLS (entropy issue?)

version graph

Package: exim4; Maintainer for exim4 is Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>; Source for exim4 is src:exim4.

Reported by: fgkoehler@openunix.de

Date: Wed, 9 Nov 2005 13:33:05 UTC

Severity: important

Tags: moreinfo

Merged with 343085

Found in versions exim4/4.50-8, exim4/4.54-2

Fixed in version 4.63-4

Done: Marc Haber <mh+debian-packages@zugschlus.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#338319; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to fgkoehler@openunix.de:
New Bug report received and forwarded. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Franz G. Koehler" <fgkoehler@openunix.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: exim4: TLS does not work any more after upgrade
Date: Wed, 09 Nov 2005 14:23:41 +0100
Package: exim4
Version: 4.50-8
Severity: important

Hello,

since applying the latest security updates exim4 does not initialize nor
accept successfully TLS connections.

>From the remote side:


2005-11-09 08:38:41 1EZkSZ-0003Kc-Pn SMTP timeout while connected to hermes.frankfurt.de.velia.net [85.195.64.15] after STARTTLS: Connection timed out
2005-11-09 08:38:41 1EZkSZ-0003Kc-Pn == xxxx@xxxxx.xxx R=xxxxxxxxxxxxxx T=remote_smtp defer (110): Connection timed out: SMTP timeout while connected to hermes.frankfurt.de.velia.net [85.195.64.15] after STARTTLS
2005-11-09 09:02:46 1EZkpt-0003Wf-Hh SMTP timeout while connected to hermes.frankfurt.de.velia.net [85.195.64.15] after STARTTLS: Connection timed out
2005-11-09 09:02:46 1EZkpt-0003Wf-Hh SMTP timeout while connected to hermes.frankfurt.de.velia.net [85.195.64.15] after STARTTLS: Connection timed out

On the local side, there is no notification in the logfile, until the
exim processes are killed manually, they simply do not respond:

2005-11-09 09:28:31 SMTP connection from proteus.wiesbaden.de.velia.net [151.189.12.60] closed after SIGTERM
2005-11-09 09:28:31 SMTP connection from proteus.wiesbaden.de.velia.net [151.189.12.60] closed after SIGTERM
2005-11-09 09:28:31 SMTP connection from proteus.wiesbaden.de.velia.net [151.189.12.60] closed after SIGTERM
2005-11-09 09:28:31 SMTP connection from proteus.wiesbaden.de.velia.net [151.189.12.60] closed after SIGTERM
2005-11-09 09:37:47 SMTP connection from proteus.wiesbaden.de.velia.net [151.189.12.60] closed after SIGTERM
2005-11-09 09:37:47 SMTP connection from proteus.wiesbaden.de.velia.net [151.189.12.60] closed after SIGTERM
2005-11-09 09:37:47 SMTP connection from proteus.wiesbaden.de.velia.net [151.189.12.60] closed after SIGTERM


Workaround:
Disable TLS in the cofiguration (tls_advertise_hosts = !*)(hosts_avoid_tls=*)


This bug might be openssl-related since it was included in recent
updates.




-- Package-specific info:
Exim version 4.50 #1 built 27-May-2005 08:10:05
Copyright (c) University of Cambridge 2004
Berkeley DB: Sleepycat Software: Berkeley DB 4.2.52: (December  3, 2003)
Support for: iconv() IPv6 PAM Perl GnuTLS Content_Scanning Old_Demime
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql
Authenticators: cram_md5 cyrus_sasl plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Configuration file is /etc/exim4/exim4.conf
# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'

dc_eximconfig_configtype='internet'
dc_other_hostnames='hermes.frankfurt.de.velia.net'
dc_local_interfaces=''
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost=''
CFILEMODE='644'
dc_use_split_config='false'
dc_hide_mailname=''
dc_mailname_in_oh='true'
mailname:hermes.frankfurt.de.velia.net

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.14
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages exim4 depends on:
ii  exim4-base                    4.50-8     support files for all exim MTA (v4
ii  exim4-daemon-heavy            4.50-8     exim MTA (v4) daemon with extended

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#338319; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 338319@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: fgkoehler@openunix.de, 338319@bugs.debian.org
Subject: Re: Bug#338319: exim4: TLS does not work any more after upgrade
Date: Wed, 9 Nov 2005 14:50:22 +0100
On Wed, Nov 09, 2005 at 02:23:41PM +0100, Franz G. Koehler wrote:
> since applying the latest security updates exim4 does not initialize nor
> accept successfully TLS connections.

I cannot reproduce this. Works fine here.

> 2005-11-09 08:38:41 1EZkSZ-0003Kc-Pn SMTP timeout while connected to hermes.frankfurt.de.velia.net [85.195.64.15] after STARTTLS: Connection timed out
> 2005-11-09 08:38:41 1EZkSZ-0003Kc-Pn == xxxx@xxxxx.xxx R=xxxxxxxxxxxxxx T=remote_smtp defer (110): Connection timed out: SMTP timeout while connected to hermes.frankfurt.de.velia.net [85.195.64.15] after STARTTLS
> 2005-11-09 09:02:46 1EZkpt-0003Wf-Hh SMTP timeout while connected to hermes.frankfurt.de.velia.net [85.195.64.15] after STARTTLS: Connection timed out
> 2005-11-09 09:02:46 1EZkpt-0003Wf-Hh SMTP timeout while connected to hermes.frankfurt.de.velia.net [85.195.64.15] after STARTTLS: Connection timed out
> 
> On the local side, there is no notification in the logfile, until the
> exim processes are killed manually, they simply do not respond:
> 
> 2005-11-09 09:28:31 SMTP connection from proteus.wiesbaden.de.velia.net [151.189.12.60] closed after SIGTERM
> 2005-11-09 09:28:31 SMTP connection from proteus.wiesbaden.de.velia.net [151.189.12.60] closed after SIGTERM
> 2005-11-09 09:28:31 SMTP connection from proteus.wiesbaden.de.velia.net [151.189.12.60] closed after SIGTERM
> 2005-11-09 09:28:31 SMTP connection from proteus.wiesbaden.de.velia.net [151.189.12.60] closed after SIGTERM
> 2005-11-09 09:37:47 SMTP connection from proteus.wiesbaden.de.velia.net [151.189.12.60] closed after SIGTERM
> 2005-11-09 09:37:47 SMTP connection from proteus.wiesbaden.de.velia.net [151.189.12.60] closed after SIGTERM
> 2005-11-09 09:37:47 SMTP connection from proteus.wiesbaden.de.velia.net [151.189.12.60] closed after SIGTERM

Does your system have enough entropy?

> This bug might be openssl-related since it was included in recent
> updates.

exim4 does not use openssl, it uses GnuTLS.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835



Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#338319; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Laurent Fousse <laurent@komite.net>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #15 received at 338319@bugs.debian.org (full text, mbox):

From: Laurent Fousse <laurent@komite.net>
To: Marc Haber <mh+debian-packages@zugschlus.de>
Cc: fgkoehler@openunix.de, 338319@bugs.debian.org
Subject: Re: Bug#338319: exim4: TLS does not work any more after upgrade
Date: Fri, 2 Dec 2005 08:04:01 +0100
[Message part 1 (text/plain, inline)]
Hello,

* Marc Haber [2005-11-09]:
> On Wed, Nov 09, 2005 at 02:23:41PM +0100, Franz G. Koehler wrote:
> > since applying the latest security updates exim4 does not initialize nor
> > accept successfully TLS connections.
> 
> I cannot reproduce this. Works fine here.

I can. I have the same timeouts after STARTTLS.

> Does your system have enough entropy?

This it is a server with no keyboard attached, it might lack entropy.

Trying a manual delivery with exim4 -v -d -M <mid> :

[...]
81.56.190.81 in hosts_avoid_tls? no (option unset)
  SMTP>> STARTTLS
waiting for data on socket
read response data: size=18
  SMTP<< 220 TLS go ahead
initializing GnuTLS as a client
parameter cache file /var/spool/exim4/gnutls-params does not exist
generating 512 bit RSA key...
selecting on subprocess pipes
selecting on subprocess pipes
selecting on subprocess pipes
[...]

with the last line repeated until the other end times out.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#338319; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #20 received at 338319@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: Laurent Fousse <laurent@komite.net>
Cc: fgkoehler@openunix.de, 338319@bugs.debian.org
Subject: Re: Bug#338319: exim4: TLS does not work any more after upgrade
Date: Fri, 2 Dec 2005 08:16:36 +0100
On Fri, Dec 02, 2005 at 08:04:01AM +0100, Laurent Fousse wrote:
> * Marc Haber [2005-11-09]:
> > On Wed, Nov 09, 2005 at 02:23:41PM +0100, Franz G. Koehler wrote:
> > > since applying the latest security updates exim4 does not initialize nor
> > > accept successfully TLS connections.
> > 
> > I cannot reproduce this. Works fine here.
> 
> I can. I have the same timeouts after STARTTLS.
> 
> > Does your system have enough entropy?
> 
> This it is a server with no keyboard attached, it might lack entropy.

Please find that out by looking at
/proc/sys/kernel/random/entropy_avail. If there is no entropy
available, there is nothing the exim packages can do.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835



Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#338319; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Laurent Fousse <laurent@komite.net>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #25 received at 338319@bugs.debian.org (full text, mbox):

From: Laurent Fousse <laurent@komite.net>
To: Marc Haber <mh+debian-packages@zugschlus.de>
Cc: fgkoehler@openunix.de, 338319@bugs.debian.org
Subject: Re: Bug#338319: exim4: TLS does not work any more after upgrade
Date: Fri, 2 Dec 2005 08:22:42 +0100
[Message part 1 (text/plain, inline)]
* Marc Haber [Fri, Dec 02, 2005 at 08:16:36AM +0100]:
> > This it is a server with no keyboard attached, it might lack entropy.
> 
> Please find that out by looking at
> /proc/sys/kernel/random/entropy_avail. If there is no entropy
> available, there is nothing the exim packages can do.

I can't reproduce it now. Somehow, one of the delivering exim
processes lived long enough to gather entropy and produce the DH
parameters file. It seems to me that the other delivery attempts were
killed in the middle of trying to generate this file because of the
smtp timeout.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#338319; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #30 received at 338319@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: 338319@bugs.debian.org, 338319-submitter@bugs.debian.org, fgkoehler@openunix.de
Cc: Marc Haber <mh+debian-packages@zugschlus.de>
Subject: Re: Re: Bug#338319: exim4: TLS does not work any more after upgrade
Date: Sat, 17 Dec 2005 15:43:37 +0100
tags #338319 moreinfo
retitle #338319 incoming connections timing out after STARTTLS (entropy issue?)
thanks

On Wed, Nov 09, 2005 at 02:50:22PM +0100, Marc Haber wrote:
> Does your system have enough entropy?

I'd like to see an answer to this question. When your exim hangs, what
value can be found in /proc/sys/kernel/random/entropy_avail?

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835



Tags added: moreinfo Request was from Marc Haber <mh+debian-packages@zugschlus.de> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Marc Haber <mh+debian-packages@zugschlus.de> to control@bugs.debian.org. Full text and rfc822 format available.

Merged 338319 343085. Request was from Marc Haber <mh+debian-packages@zugschlus.de> to control@bugs.debian.org. Full text and rfc822 format available.

Message sent on to fgkoehler@openunix.de:
Bug#338319. Full text and rfc822 format available.

Tags added: moreinfo Request was from Florian Weimer <fw@deneb.enyo.de> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#338319; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Jose Calhariz <jose.calhariz@tagus.ist.utl.pt>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #46 received at 338319@bugs.debian.org (full text, mbox):

From: Jose Calhariz <jose.calhariz@tagus.ist.utl.pt>
To: 338319@bugs.debian.org
Subject: I believe I have the same problem
Date: Tue, 14 Mar 2006 00:43:27 +0000
[Message part 1 (text/plain, inline)]
I believe I have the same problem.  One server of mine stopped to send
email 3 days ago.  Today when I investigated if everything was
allrigth I found many exim4 process processing email, and some
zombies.

I have killed them all tried to restart exim4 to no avail.

I have started exim4 with "exim4 -d -q -qq".  The last interesting
messages where:

193.136.166.70 in hosts_avoid_esmtp? no (option unset)
  SMTP>> EHLO zilda.tagus.ist.utl.pt
waiting for data on socket
read response data: size=83
  SMTP<< 250-mail.tagus.ist.utl.pt
         250-PIPELINING
         250-STARTTLS
         250-SIZE 0
         250 8BITMIME
193.136.166.70 in hosts_avoid_tls? no (option unset)
  SMTP>> STARTTLS
waiting for data on socket
read response data: size=19
  SMTP<< 220 ready for tls
initializing GnuTLS as a client
generating 512 bit RSA key...
selecting on subprocess pipes
selecting on subprocess pipes
...

I have done cat /proc/sys/kernel/random/entropy_avail and returned 0.
I will try to recover the server without rebooting the machine or
turning off TLS on exim4.

Do you need more information?

    José Calhariz

-- 
	Um prisioneiro de guerra e um homem que tenta mata-lo, nao 
	consegue e implora para voce que nao o mate.
		-- Winston Churchill 
[signature.asc (application/pgp-signature, inline)]

Information stored:
Bug#338319; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #51 received at 338319-quiet@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: 338319-quiet@bugs.debian.org
Cc: Marc Haber <mh+debian-packages@zugschlus.de>
Subject: Re: Bug#338019
Date: Wed, 21 Jun 2006 20:03:18 +0200
user exim4@packages.debian.org
usertags #338319 gnutls
thanks

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835





Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#338319; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Ben Collins <bcollins@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #56 received at 338319@bugs.debian.org (full text, mbox):

From: Ben Collins <bcollins@ubuntu.com>
To: 338319@bugs.debian.org
Subject: [338319] exim4: no entropy on starting
Date: Sun, 27 Aug 2006 23:09:55 +0200
Seems to me this really is a bug about how the server installs itself.

IMO, the best way to handle this would be just like sshd. It does not
generate an RSA on first connection, it does it when the package is
installed.

Either generate this initial key at install, or detect that TLS is
enabled in the init script and generate it if doesn't exist.

-- 
Ubuntu     - http://www.ubuntu.com/
Debian     - http://www.debian.org/
Linux 1394 - http://www.linux1394.org/
SwissDisk  - http://www.swissdisk.com/



Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#338319; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #61 received at 338319@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: Ben Collins <bcollins@ubuntu.com>, 338319@bugs.debian.org, 338319-submitter@bugs.debian.org
Cc: Marc Haber <mh+debian-packages@zugschlus.de>
Subject: Re: Bug#338319: [338319] exim4: no entropy on starting
Date: Sat, 7 Oct 2006 18:51:12 +0200
On Sun, Aug 27, 2006 at 11:09:55PM +0200, Ben Collins wrote:
> IMO, the best way to handle this would be just like sshd. It does not
> generate an RSA on first connection, it does it when the package is
> installed.
> 
> Either generate this initial key at install, or detect that TLS is
> enabled in the init script and generate it if doesn't exist.

I am not sure whether this is going to work. Generating dh_parameters
is very fast if enough entropy is available, so in case that enough
entropy is available, we don't need to bother and can have exim
generate them on first connection.

If not enough entropy is available, generating dh_parameters is going
to take a looooooong time, so we'd either have a long delay on package
installation (in which case exim is not going to be available any
earlier), or we'd send the dh_parameters generation in the background
which will cause exim to generate the dh_parameters on first
connection, resulting in exim being unavailable until the
dh_parameters have been built.

Frankly, I don't see a gain in generating the dh_parameters on package
installation or from the init script. Am I missing something?

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835



Message sent on to fgkoehler@openunix.de:
Bug#338319. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#338319; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Ben Collins <ben.collins@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #69 received at 338319@bugs.debian.org (full text, mbox):

From: Ben Collins <ben.collins@ubuntu.com>
To: Marc Haber <mh+debian-packages@zugschlus.de>
Cc: 338319@bugs.debian.org, 338319-submitter@bugs.debian.org
Subject: Re: Bug#338319: [338319] exim4: no entropy on starting
Date: Sat, 07 Oct 2006 18:55:09 -0400
On Sat, 2006-10-07 at 18:51 +0200, Marc Haber wrote:
> On Sun, Aug 27, 2006 at 11:09:55PM +0200, Ben Collins wrote:
> > IMO, the best way to handle this would be just like sshd. It does not
> > generate an RSA on first connection, it does it when the package is
> > installed.
> > 
> > Either generate this initial key at install, or detect that TLS is
> > enabled in the init script and generate it if doesn't exist.
> 
> I am not sure whether this is going to work. Generating dh_parameters
> is very fast if enough entropy is available, so in case that enough
> entropy is available, we don't need to bother and can have exim
> generate them on first connection.
> 
> If not enough entropy is available, generating dh_parameters is going
> to take a looooooong time, so we'd either have a long delay on package
> installation (in which case exim is not going to be available any
> earlier), or we'd send the dh_parameters generation in the background
> which will cause exim to generate the dh_parameters on first
> connection, resulting in exim being unavailable until the
> dh_parameters have been. built.
> 
> Frankly, I don't see a gain in generating the dh_parameters on package
> installation or from the init script. Am I missing something?

The benefit is that during installation, people expect things to be
down. When it's installed, people don't expect their smtp server to
start timing because of lack of entropy.

I had to manually create entropy while an smtp connection was made to my
server, hoping I did it in time, before the smtp connection timed out,
in order for it to start working. I shouldn't have to jump through
hoops. If I installed the package, and it asked for entropy then (or did
it when exim first started up) then you know there's a delay, and you
know why, and it gives you the opportunity to create this entropy
without worrying about things like an smtp connection timing out.

The bad thing about it happening when first connection occurs is that if
the smtp connection times out, all of that entropy it got already is
thrown away. The next connection starts the process again, most likely
with zero entropy at that point.

You should not have to jigger a setup like this.




Message sent on to fgkoehler@openunix.de:
Bug#338319. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#338319; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #77 received at 338319@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: Ben Collins <ben.collins@ubuntu.com>
Cc: 338319@bugs.debian.org, 338319-submitter@bugs.debian.org
Subject: Re: Bug#338319: [338319] exim4: no entropy on starting
Date: Sun, 8 Oct 2006 02:59:37 +0200
On Sat, Oct 07, 2006 at 06:55:09PM -0400, Ben Collins wrote:
> On Sat, 2006-10-07 at 18:51 +0200, Marc Haber wrote:
> > Frankly, I don't see a gain in generating the dh_parameters on package
> > installation or from the init script. Am I missing something?
> 
> The benefit is that during installation, people expect things to be
> down. When it's installed, people don't expect their smtp server to
> start timing because of lack of entropy.

With gnutls-bin or openssl installed, dh-params are generated
asynchronously, so the only time where no dh-params are available is
right after installation.

> If I installed the package, and it asked for entropy then (or did
> it when exim first started up) then you know there's a delay, and you
> know why, and it gives you the opportunity to create this entropy
> without worrying about things like an smtp connection timing out.
> 
> The bad thing about it happening when first connection occurs is that if
> the smtp connection times out, all of that entropy it got already is
> thrown away. The next connection starts the process again, most likely
> with zero entropy at that point.

If an exim starts creating its own dh-params while the first
asynchronous dh-param generation is already running, you have multiple
processes competing over the precious entropy while both are trying to
accomplish the same.

> You should not have to jigger a setup like this.

Agreed, but I don't see an acceptable fix at the moment.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835



Message sent on to fgkoehler@openunix.de:
Bug#338319. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#338319; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to "Anand Kumria" <wildfire@progsoc.org>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #85 received at 338319@bugs.debian.org (full text, mbox):

From: "Anand Kumria" <wildfire@progsoc.org>
To: 338319-submitter@bugs.debian.org, 338319@bugs.debian.org
Cc: "Debian GnuTLS Maintainers" <pkg-gnutls-maint@lists.alioth.debian.org>, "Simon Josefsson" <jas@gnutls.org>, "Nikos Mavroyanopoulos" <nmav@gnutls.org>
Subject: not draining entrophy is a good thing
Date: Tue, 17 Oct 2006 04:26:32 +1000
Hi,

I've also stumbled over this problem in the past few days.

The simplest fix, that should stop exim4 from blocking is to make
gnutls-bin a Depend rather than a Suggest. This would make the
re-generation of dh_params less likely to block the system from
continuing.

However that only alleviates the first problem. It would be useful if
the severity of bug#347210 was important.

As noted a by number of other people, a build of exim4 with openssl
does not suffer from entrophy exhaustion so quickly. It is isn't clear
to me why gnutls (via libgcrypt as I understand it) is depleting the
pool so rapidly.

Users can basically exhaust entrophy on my servers just by sending a
large (2MiB) email, which causes them pain because mail (delivery,
submission, etc.) is held up until enough activity has occurred to
generate further entrophy.

Thanks,
Anand



Message sent on to fgkoehler@openunix.de:
Bug#338319. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#338319; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Simon Josefsson <jas@extundo.com>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #93 received at 338319@bugs.debian.org (full text, mbox):

From: Simon Josefsson <jas@extundo.com>
To: "Anand Kumria" <wildfire@progsoc.org>
Cc: 338319-submitter@bugs.debian.org, 338319@bugs.debian.org, "Debian GnuTLS Maintainers" <pkg-gnutls-maint@lists.alioth.debian.org>, "Simon Josefsson" <jas@gnutls.org>, "Nikos Mavroyanopoulos" <nmav@gnutls.org>
Subject: Re: not draining entrophy is a good thing
Date: Mon, 16 Oct 2006 21:52:30 +0200
"Anand Kumria" <wildfire@progsoc.org> writes:

> Hi,
>
> I've also stumbled over this problem in the past few days.
>
> The simplest fix, that should stop exim4 from blocking is to make
> gnutls-bin a Depend rather than a Suggest. This would make the
> re-generation of dh_params less likely to block the system from
> continuing.
>
> However that only alleviates the first problem. It would be useful if
> the severity of bug#347210 was important.
>
> As noted a by number of other people, a build of exim4 with openssl
> does not suffer from entrophy exhaustion so quickly. It is isn't clear
> to me why gnutls (via libgcrypt as I understand it) is depleting the
> pool so rapidly.

Hi.  It doesn't seem clear to anyone. :-(

> Users can basically exhaust entrophy on my servers just by sending a
> large (2MiB) email, which causes them pain because mail (delivery,
> submission, etc.) is held up until enough activity has occurred to
> generate further entrophy.

That would be very strange!  If true, it suggests that randomness is
required not only during handshake (which is to be expected, although
it is supposed to only use /dev/urandom), but during normal
encryption.

If someone can describe a simple way to reproduce this, I can try to
debug it, but so far it doesn't seem to happen in simple
configurations, and nobody has described the details when this
happens.

/Simon



Message sent on to fgkoehler@openunix.de:
Bug#338319. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#338319; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #101 received at 338319@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: Anand Kumria <wildfire@progsoc.org>
Cc: 338319-submitter@bugs.debian.org, 338319@bugs.debian.org, Simon Josefsson <jas@gnutls.org>, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>, Nikos Mavroyanopoulos <nmav@gnutls.org>
Subject: Re: [Pkg-gnutls-maint] not draining entrophy is a good thing
Date: Tue, 17 Oct 2006 12:15:56 +0200
On Tue, Oct 17, 2006 at 04:26:32AM +1000, Anand Kumria wrote:
> The simplest fix, that should stop exim4 from blocking is to make
> gnutls-bin a Depend rather than a Suggest.

NACK. I am not yet sure that the changes to
exim4_refresh_gnutls-params will actually fix the issue, and it will
introduce an unnecessary dependency for systems that to not run TLS at
all.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835



Message sent on to fgkoehler@openunix.de:
Bug#338319. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#338319; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #109 received at 338319@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: 338319@bugs.debian.org, 338319-submitter@bugs.debian.org, 343085@bugs.debian.org, 343085-submitter@bugs.debian.org
Cc: Marc Haber <mh+debian-packages@zugschlus.de>, info@j-pfennig.de, fw@deneb.enyo.de, sven@svenhartge.de, micha@lenk.info, fgkoehler@openunix.de, laurent@komite.net, jose.calhariz@tagus.ist.utl.pt, bcollins@ubuntu.com, wildfire@progsoc.org, jas@gnutls.org, nmav@gnutls.org
Subject: Re: tagging 343085
Date: Wed, 11 Jul 2007 08:13:54 +0200
user exim4@packages.debian.org
usertags #338319 close-20071031
usertags #343085 close-20071031
thanks

Hi,

about a year after we implemented some measures to avoid the entropy
issue, the bug has not been reported again in a long time. This leads
me to the conclusion that the issue does not occur any more.

Can you guys please confirm this? I'd like to close these bugs by the
end of October 2007 if the issue does not occur for you.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835



Message sent on to fgkoehler@openunix.de:
Bug#338319. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#338319; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Laurent Fousse <laurent@komite.net>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #117 received at 338319@bugs.debian.org (full text, mbox):

From: Laurent Fousse <laurent@komite.net>
To: Marc Haber <mh+debian-packages@zugschlus.de>
Cc: 338319@bugs.debian.org
Subject: Re: tagging 343085
Date: Wed, 11 Jul 2007 13:37:42 +0200
Hello,

* Marc Haber [Wed, Jul 11, 2007 at 08:13:54AM +0200]:
> about a year after we implemented some measures to avoid the entropy
> issue, the bug has not been reported again in a long time. This leads
> me to the conclusion that the issue does not occur any more.
> 
> Can you guys please confirm this? I'd like to close these bugs by the
> end of October 2007 if the issue does not occur for you.

The system on which this problem occured now has a motherboard with
integrated entropy generator so I can't reproduce it. For what it's
worth, I haven't seen the issue on other systems without such a
generator.

Laurent.



Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#338319; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to "Anand Kumria" <wildfire@progsoc.org>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #122 received at 338319@bugs.debian.org (full text, mbox):

From: "Anand Kumria" <wildfire@progsoc.org>
To: "Marc Haber" <mh+debian-packages@zugschlus.de>
Cc: 338319@bugs.debian.org, 338319-submitter@bugs.debian.org, 343085@bugs.debian.org, 343085-submitter@bugs.debian.org, info@j-pfennig.de, fw@deneb.enyo.de, sven@svenhartge.de, micha@lenk.info, fgkoehler@openunix.de, laurent@komite.net, jose.calhariz@tagus.ist.utl.pt, bcollins@ubuntu.com, jas@gnutls.org, nmav@gnutls.org
Subject: Re: tagging 343085
Date: Fri, 27 Jul 2007 22:37:55 +1000
On 7/11/07, Marc Haber <mh+debian-packages@zugschlus.de> wrote:
> user exim4@packages.debian.org
> usertags #338319 close-20071031
> usertags #343085 close-20071031
> thanks
>
> Hi,
>
> about a year after we implemented some measures to avoid the entropy
> issue, the bug has not been reported again in a long time. This leads
> me to the conclusion that the issue does not occur any more.

Certainly it occurs for me still.

Is the fix you are talking about in the stable version (4.63-17) or a
later testing version?

Thanks,
Anand



Message sent on to fgkoehler@openunix.de:
Bug#338319. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#338319; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #130 received at 338319@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: "Anand Kumria" <wildfire@progsoc.org>
Cc: "Marc Haber" <mh+debian-packages@zugschlus.de>, 338319@bugs.debian.org, 338319-submitter@bugs.debian.org, 343085@bugs.debian.org, 343085-submitter@bugs.debian.org, info@j-pfennig.de, sven@svenhartge.de, micha@lenk.info, fgkoehler@openunix.de, laurent@komite.net, jose.calhariz@tagus.ist.utl.pt, bcollins@ubuntu.com, jas@gnutls.org, nmav@gnutls.org
Subject: Re: tagging 343085
Date: Fri, 27 Jul 2007 14:45:53 +0200
* Anand Kumria:

>> about a year after we implemented some measures to avoid the entropy
>> issue, the bug has not been reported again in a long time. This leads
>> me to the conclusion that the issue does not occur any more.
>
> Certainly it occurs for me still.

It has been fixed in version 4.63-4.  Could you show lsof and strace
output from blocking Exim processes?



Message sent on to fgkoehler@openunix.de:
Bug#338319. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#338319; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #138 received at 338319@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: "Anand Kumria" <wildfire@progsoc.org>
Cc: "Marc Haber" <mh+debian-packages@zugschlus.de>, 338319@bugs.debian.org, 338319-submitter@bugs.debian.org, 343085@bugs.debian.org, 343085-submitter@bugs.debian.org, info@j-pfennig.de, sven@svenhartge.de, micha@lenk.info, fgkoehler@openunix.de, laurent@komite.net, jose.calhariz@tagus.ist.utl.pt, bcollins@ubuntu.com, jas@gnutls.org, nmav@gnutls.org
Subject: Re: tagging 343085
Date: Fri, 03 Aug 2007 12:05:57 +0200
* Florian Weimer:

> * Anand Kumria:
>
>>> about a year after we implemented some measures to avoid the entropy
>>> issue, the bug has not been reported again in a long time. This leads
>>> me to the conclusion that the issue does not occur any more.
>>
>> Certainly it occurs for me still.
>
> It has been fixed in version 4.63-4.  Could you show lsof and strace
> output from blocking Exim processes?

Ping.  Are you absolutely sure that you still suffer from this bug?



Message sent on to fgkoehler@openunix.de:
Bug#338319. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#338319; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Jose Calhariz <jose.calhariz@tagus.ist.utl.pt>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #146 received at 338319@bugs.debian.org (full text, mbox):

From: Jose Calhariz <jose.calhariz@tagus.ist.utl.pt>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: Anand Kumria <wildfire@progsoc.org>, Marc Haber <mh+debian-packages@zugschlus.de>, 338319@bugs.debian.org, 338319-submitter@bugs.debian.org, 343085@bugs.debian.org, 343085-submitter@bugs.debian.org, info@j-pfennig.de, sven@svenhartge.de, micha@lenk.info, fgkoehler@openunix.de, laurent@komite.net, jose.calhariz@tagus.ist.utl.pt, bcollins@ubuntu.com, jas@gnutls.org, nmav@gnutls.org
Subject: Re: tagging 343085
Date: Fri, 3 Aug 2007 20:23:55 +0100
[Message part 1 (text/plain, inline)]
On Fri, Aug 03, 2007 at 12:05:57PM +0200, Florian Weimer wrote:
> * Florian Weimer:
> 
> > * Anand Kumria:
> >
> >>> about a year after we implemented some measures to avoid the entropy
> >>> issue, the bug has not been reported again in a long time. This leads
> >>> me to the conclusion that the issue does not occur any more.
> >>
> >> Certainly it occurs for me still.
> >
> > It has been fixed in version 4.63-4.  Could you show lsof and strace
> > output from blocking Exim processes?
> 
> Ping.  Are you absolutely sure that you still suffer from this bug?
> 

Thank for your contact.

With recent kernels on Debian sarge or running Debian etch I didn't
have more problems with lack of entropy in general or exim stopping to
send emails.  So I don't have more problems with exim4.  

I can't confirm if your changes solved my problem or I have solved the
by upgrading of the kernel.

    José Calhariz



-- 
P.S. [En_US] The sig below is from my random sig-generator, which strangely
often seems to pick signatures which are apropriate to the message at
hand!

P.S. [Pt_Pt] A assinatura em baixo é do gerador aleatório de
assinaturas, que estranhamente, escolhe com frequência assinaturas que
parecem apropriadas ao email!
--

A amizade é um amor que nunca morre.

--Mário Quintana
[signature.asc (application/pgp-signature, inline)]

Message sent on to fgkoehler@openunix.de:
Bug#338319. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#338319; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #154 received at 338319@bugs.debian.org (full text, mbox):

From: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
To: 338319@bugs.debian.org
Subject: proposed solutions
Date: Mon, 22 Oct 2007 00:13:20 +0300
[Message part 1 (text/plain, inline)]
I've seen this problem to be open quite long time, and I believe it occurs 
because exim tries to generate Diffie Hellman parameters on the fly when they 
don't exist. This situation may occur when the gnutls-params file is missing. 
I propose some solutions.

1. Return an error if the gnutls-params file does not exist. (sol1.patch)

2. Generate the parameters in a non-blocking way using /dev/urandom. 
(sol2.patch)

3. Read static parameters if the file does not exist.


I believe the third solution is the most elegant. Generating these parameters 
on the fly (sol2) even if /dev/urandom is used is time consuming and not 
really appropriate for a server. The idea is to have them pregenerated. 

Using static parameters (sol3) does not harm in any way.
If somebody wants different ones he can generate them.

So the 
[sol1.patch (text/x-diff, attachment)]
[sol2.patch (text/x-diff, attachment)]
[sol3.patch (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#338319; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #159 received at 338319@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
Cc: 338319@bugs.debian.org
Subject: Re: Bug#338319: proposed solutions
Date: Fri, 26 Oct 2007 22:20:19 +0200
* Nikos Mavrogiannopoulos:

> 2. Generate the parameters in a non-blocking way using /dev/urandom. 
> (sol2.patch)

Huh?  At least at one point in the past, GNUTLS used /dev/urandom for DH
parameters.  Has this changed?

> I believe the third solution is the most elegant. Generating these parameters 
> on the fly (sol2) even if /dev/urandom is used is time consuming and not 
> really appropriate for a server. The idea is to have them pregenerated. 

The main problem is that there is no lock on the file while it is
generated, and that a lot of work is wasted by parallel computation.

Constant DH parameters have been refused by Debian's security pundits.




Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#338319; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #164 received at 338319@bugs.debian.org (full text, mbox):

From: Nikos Mavrogiannopoulos <n.mavrogiannopoulos@gmail.com>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: 338319@bugs.debian.org
Subject: Re: Bug#338319: proposed solutions
Date: Sat, 27 Oct 2007 00:41:09 +0300
On Friday 26 October 2007, Florian Weimer wrote:
> * Nikos Mavrogiannopoulos:
> > 2. Generate the parameters in a non-blocking way using /dev/urandom.
> > (sol2.patch)
>
> Huh?  At least at one point in the past, GNUTLS used /dev/urandom for DH
> parameters.  Has this changed?

Indeed. When I added this solution I thought RSA parameters were still 
generated in exim4. This is not true thought.

> > I believe the third solution is the most elegant. Generating these
> > parameters on the fly (sol2) even if /dev/urandom is used is time
> > consuming and not really appropriate for a server. The idea is to have
> > them pregenerated.
> The main problem is that there is no lock on the file while it is
> generated, and that a lot of work is wasted by parallel computation.

> Constant DH parameters have been refused by Debian's security pundits.

I don't believe there is nothing wrong with static parameters as long as they 
are long enough. SRP uses a set of static parameters anyway.


regards,
Nikos





Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#338319; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #169 received at 338319@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: Anand Kumria <wildfire@progsoc.org>
Cc: Florian Weimer <fw@deneb.enyo.de>, 338319@bugs.debian.org, 338319-submitter@bugs.debian.org, Marc Haber <mh+debian-packages@zugschlus.de>, 343085@bugs.debian.org, 343085-submitter@bugs.debian.org, info@j-pfennig.de, sven@svenhartge.de, micha@lenk.info, fgkoehler@openunix.de, laurent@komite.net, jose.calhariz@tagus.ist.utl.pt, bcollins@ubuntu.com, jas@gnutls.org, nmav@gnutls.org
Subject: Re: Bug#338319: tagging 343085
Date: Wed, 31 Oct 2007 21:43:10 +0100
On Fri, Aug 03, 2007 at 12:05:57PM +0200, Florian Weimer wrote:
> * Florian Weimer:
> > * Anand Kumria:
> >>> about a year after we implemented some measures to avoid the entropy
> >>> issue, the bug has not been reported again in a long time. This leads
> >>> me to the conclusion that the issue does not occur any more.
> >>
> >> Certainly it occurs for me still.
> >
> > It has been fixed in version 4.63-4.  Could you show lsof and strace
> > output from blocking Exim processes?
> 
> Ping.  Are you absolutely sure that you still suffer from this bug?

Ping again. Please show lsof and strace output from blocking Exim
processes.

I'll close this bug by the end of November 2007 otherwise.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835




Message sent on to fgkoehler@openunix.de:
Bug#338319. Full text and rfc822 format available.

Reply sent to Marc Haber <mh+debian-packages@zugschlus.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to fgkoehler@openunix.de:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #177 received at 338319-done@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: 338319-done@bugs.debian.org, 338319-submitter@bugs.debian.org
Cc: Anand Kumria <wildfire@progsoc.org>, Florian Weimer <fw@deneb.enyo.de>, info@j-pfennig.de, sven@svenhartge.de, micha@lenk.info, fgkoehler@openunix.de, laurent@komite.net, jose.calhariz@tagus.ist.utl.pt, bcollins@ubuntu.com, jas@gnutls.org, nmav@gnutls.org
Subject: Re: Bug#338319: tagging 343085
Date: Tue, 4 Dec 2007 11:31:24 +0100
Version: 4.63-4

On Wed, Oct 31, 2007 at 09:43:10PM +0100, Marc Haber wrote:
> I'll close this bug by the end of November 2007 otherwise.

Doing so now.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835




Reply sent to Marc Haber <mh+debian-packages@zugschlus.de>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Dr. Jürgen Pfennig <info@j-pfennig.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message sent on to fgkoehler@openunix.de:
Bug#338319. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 02 Jan 2008 07:27:03 GMT) Full text and rfc822 format available.

Bug unarchived. Request was from Florian Weimer <fw@deneb.enyo.de> to control@bugs.debian.org. (Fri, 04 Jan 2008 13:22:33 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 19 Feb 2008 07:29:02 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 05:39:53 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.