Author: Jürgen Herz Date: To: exim-users Subject: [exim] Re: no reply to STARTTLS
Sven Hartge wrote:
>> Exim advertises STARTTLS in the EHLO response but upon sending the
>> STARTTLS command, nothing happens, it looks some client input is
>> expected. Not if connected via client nor by hand (telnet).
>
> You should see a "220 TLS go ahead" if you use telnet to debug.
>
> My guess: Your server is out of entropy (check
> /proc/sys/kernel/random/entropy_avail, it should be >2000) and exim is
> still calculating its dh_params and session key.
Yesterday before posting I already read a hint on the web regarding
entropy_avail. When I checked this, it was 5 - but I thought it's ok
since it's not null.
Yesterday, long after I mailed my post, I finally noticed errors on the
TLS connections showing up in the logs (about 3 hours after telnetting
and killing telnet after waiting a few minutes for response).
Today I just tested STARTTLS again and instantly got the expected 220.
And indeed, today entropy_vail was 1184 when started. But this value is
quite inconsistent and mostly is around 5.
Now I'm quite puzzled, but after some searches it looks like a common
problem. ldd says exim4 is linked against libgnutls.so.11 as well as
libssl.so.0.9.7. Does this mean I can choose at runtime which lib to use?
Thanks,
Jürgen
P.S. This is the second try since my first answer didn't show up on the
list for three hours. So please ignore any dupes if they finally show up.