[Exim] Exim 4.12, GnuTLS & Entropy ...

Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: Sander Smeenk
Fecha:  
A: exim-users
Asunto: [Exim] Exim 4.12, GnuTLS & Entropy ...
Hi,

I have succesfully built Exim 4.12 with GnuTLS (0.8.1) but for some
reason this Exim is incapable of getting enough entropy no matter what I
do on my system, it seems like it doesn't check for new random bytes...

It also fails to create /var/spool/exim/gnutls.params, even when
/var/spool/exim is set worldwritable :) If I create that file myself,
Exim tells me that TLS is currently not available, which ofcourse is
logic since it expects to read its parameters from that file but it is
empty.

For testing purposes I use gnutls-cli:

This happens with the Exim 4.12 installation on my system:

| [10:46] [ssmeenk@valor: .. exim-tls/exim-tls-4.12] % gnutls-cli -s -p 25 localhost
| Resolving 'localhost'...
| Connecting to '127.0.0.1:25'...

|
| - Simple Client Mode:

|
| 220 valor.freshdot.net ESMTP Exim 4.12 Mon, 27 Jan 2003 10:46:56 +0100
| EHLO localhost
| 250-valor.freshdot.net Hello localhost [127.0.0.1]
| 250-SIZE 52428800
| 250-8BITMIME
| 250-PIPELINING
| 250-AUTH LOGIN
| 250-STARTTLS
| 250 HELP
| STARTTLS
| not enough random bytes available (need 300 bytes)
| please do some other work to give the OS a chance to collect more entropy
| *** Starting TLS handshake
| [ .. idle .. ]


And testing on my server running exim 3.35 with OpenSSL for TLS I get:

| [10:48] [ssmeenk@valor: .. exim-tls/exim-tls-4.12] % gnutls-cli -s -p 25 mx.freshdot.net
| Resolving 'mx.freshdot.net'...
| Connecting to '195.64.80.165:25'...

|
| - Simple Client Mode:

|
| 220 dot.freshdot.net ESMTP All Your Mail Are Belong To Us
| EHLO valor
| 250-dot.freshdot.net Hello valor.freshdot.net [195.64.85.34]
| 250-SIZE
| 250-8BITMIME
| 250-PIPELINING
| 250-STARTTLS
| 250 HELP
| STARTTLS
| 220 OpenSSL/0.9.6beta go ahead
| *** Starting TLS handshake
| - Certificate type: X.509
| - Certificate info:
| # Certificate is valid since: Wed Nov 14 02:24:00 CET 2001

|
| [ .. lots of information about my certificate .. ]
| [    heheh.  i also  noticed it is expired :)    ]

|
| - Compression: NULL


I have tried (while that exim process was still looking for entropy)
running these commands:

$ find / -type f | while read line; do cat $line > /dev/null; done
$ tar cvf - / > /dev/null
$ tar cvzf - / | zcat > /dev/null

I played music, had a process running searching for prime numbers
(<plug>SeventeenOrBust.com!</plug>) but all to no avail...

Am I missing something? Please help me out.

I searched google for 'Exim GnuTLS "not enough" entropy' but no results
turned up, I tried reading the htDig:// archives on exim.org but nothing
appropriate turns up. :/

An strace on the exim process shows that:

| [ .. ]
| 29913 open("/var/spool/exim/gnutls-params", O_RDONLY) = -1 ENOENT (No such file or directory)
| 29913 brk(0)                            = 0x80ed000
| 29913 brk(0x80ee000)                    = 0x80ee000
| 29913 open("/dev/random", O_RDONLY)     = 0
| 29913 fstat64(0, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 8), ...}) = 0
| 29913 select(1, [0], NULL, NULL, {3, 0}) = 0 (Timeout)
| 29913 write(2, "not enough random bytes availabl"..., 51) = 51
| 29913 write(2, "please do some other work to giv"..., 74) = 74
| 29913 select(1, [0], NULL, NULL, {3, 0}) = 0 (Timeout)
| 29913 select(1, [0], NULL, NULL, {3, 0}) = 0 (Timeout)
| [ .. keeps select()'ing until killed .. ]


Please help. Thanks.

Regards,
Sander Smeenk.

--
| My mind not only wanders, it sometimes leaves completely.
| 1024D/08CEC94D - 34B3 3314 B146 E13C 70C8 9BDB D463 7E41 08CE C94D