Re: [exim] Re: no reply to STARTTLS

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Sven Hartge
Datum:  
To: exim-users
Betreff: Re: [exim] Re: no reply to STARTTLS
Um 21:33 Uhr am 17.02.06 schrieb Jürgen Herz:
> Sven Hartge wrote:


>>> Exim advertises STARTTLS in the EHLO response but upon sending the
>>> STARTTLS command, nothing happens, it looks some client input is
>>> expected. Not if connected via client nor by hand (telnet).


>> You should see a "220 TLS go ahead" if you use telnet to debug.
>>
>> My guess: Your server is out of entropy (check
>> /proc/sys/kernel/random/entropy_avail, it should be >2000) and exim is
>> still calculating its dh_params and session key.


> Yesterday before posting I already read a hint on the web regarding
> entropy_avail. When I checked this, it was 5 - but I thought it's ok
> since it's not null.


This means "5 bits of entropy left". gnutls uses vast amounts of entropy
(compared to openssl), so it drains the entropy pool very quick.

> Yesterday, long after I mailed my post, I finally noticed errors on the
> TLS connections showing up in the logs (about 3 hours after telnetting
> and killing telnet after waiting a few minutes for response).
>
> Today I just tested STARTTLS again and instantly got the expected 220.
> And indeed, today entropy_vail was 1184 when started. But this value is
> quite inconsistent and mostly is around 5.


exim-4.50 has a little "bug" in its gnutls-code, which causes it to use
the blocking /dev/random on SSL connections. Florian Weimer made a patch,
which resolves this issue for 4.50.

If you can, upgrade to at least 4.54, better yet 4.60.

If you use Debian, use the packages from backports.org.

> Now I'm quite puzzled, but after some searches it looks like a common
> problem. ldd says exim4 is linked against libgnutls.so.11 as well as
> libssl.so.0.9.7. Does this mean I can choose at runtime which lib to use?


This is weird. Please post your ldd output.



--
Sven Hartge -- professioneller Unix-Geek
Meine Gedanken im Netz: http://www.svenhartge.de/

Achtung, neue Mail-Adresse: sven@???