Autor: W B Hacker Data: A: exim-users Assumpte: Re: [exim] Re: no reply to STARTTLS
Jürgen Herz wrote:
> Sven Hartge wrote:
>
>
>>>Exim advertises STARTTLS in the EHLO response but upon sending the
>>>STARTTLS command, nothing happens, it looks some client input is
>>>expected. Not if connected via client nor by hand (telnet).
>>
>>You should see a "220 TLS go ahead" if you use telnet to debug.
>>
>>My guess: Your server is out of entropy (check
>>/proc/sys/kernel/random/entropy_avail, it should be >2000) and exim is
>>still calculating its dh_params and session key.
>
>
> Yesterday before posting I already read a hint on the web regarding
> entropy_avail. When I checked this, it was 5 - but I thought it's ok
> since it's not null.
>
> Yesterday, long after I mailed my post, I finally noticed errors on the
> TLS connections showing up in the logs (about 3 hours after telnetting
> and killing telnet after waiting a few minutes for response).
>
> Today I just tested STARTTLS again and instantly got the expected 220.
> And indeed, today entropy_vail was 1184 when started. But this value is
> quite inconsistent and mostly is around 5.
>
> Now I'm quite puzzled, but after some searches it looks like a common
> problem. ldd says exim4 is linked against libgnutls.so.11 as well as
> libssl.so.0.9.7. Does this mean I can choose at runtime which lib to use?
>
> Thanks,
> Jürgen
>
>
> P.S. This is the second try since my first answer didn't show up on the
> list for three hours. So please ignore any dupes if they finally show up.
>
With fewer than ten servers running Exim, I cannot say for
*sure*, but with OpenSSL on FreeBSD this has never been an issue
for us with Exim, Qmail, Courier-MTA, DBMail, several IMAP/POP
daemons, or anything else that uses SSL/TLS/or SSH.
AFAIK, one has a choice on either *BSD or Linux as to OpenSSL or
GNUTLS - and each no doubt has other advantages/disdvantages.
But it may be more important to look to the selection either one
uses to 'get entropy', i.e. /dev/random, dev/urandom, or
whatever - and if that can be / should be updated/altered on a
given system.