[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[gnutls-dev] Re: gnutls_rsa_params_init hangs. Is regenerating rsa-param

From: Simon Josefsson
Subject: [gnutls-dev] Re: gnutls_rsa_params_init hangs. Is regenerating rsa-params once a day to frequent?
Date: Tue, 14 Dec 2004 16:09:21 +0100
User-agent: Gnus/5.110003 (No Gnus v0.3) Emacs/21.3.50 (gnu/linux)

Andreas Metzler <address@hidden> writes:

> Hello,


> exim4 uses gnutls for TLS/SSL and we (on Debian) have chosen to
> configure it to regenerate rsa and dh params once a day. However
> promptly after this change we received a bug-report[1] telling us that
> exim just hang. Further analysis showed that
> gnutls_rsa_params_generate2(rsa_params, 512);
> got stuck on his system, waiting indefinitely for new data to appear
> in /dev/random.
> I am a little bit at loss on how to deal with this. Is "once a day"
> too frequent as a default value?

I don't think so.

> Can (Should) gnutls_rsa_params_generate2 deal more gracefully with
> systems with little data in /dev/random (by using urandom after a
> timeout or supporting alternative entropy gathering devices?)

Yes, ideally.  This was suggested recently, and as a consequence TODO
now reads:

- Add progress handler gnutls_{dh,rsa}_params_generate2, to allow
  application to give progress feedback to user.
- Support non-blocking gnutls_{dh,rsa}_params_generate2 for when there
  is not enough entropy available.

If someone wants to work on this, that would be useful...

> Is exim faulty for running gnutls_rsa_params_generate2 while handling
> an incoming connection? (Not faulty as in in "not optimal" but as in
> "the stupiest idea I've ever heard of, everybody using gnutls seriously
> knows that you put running gnutls_rsa_params_generate2 in a separate
> little thread/program")

I wouldn't say faulty, but as you suggest, it may be sub-optimal.  You
could have a stand-alone program that generate dh/rsa parameters, save
the data to a file and ask the main process to re-load its data.  Or
use a separate thread.

I suspect the manual should discuss this problem.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]