Re: [exim] Re: no reply to STARTTLS

Top Page
Delete this message
Reply to this message
Author: Sven Hartge
Date:  
To: exim-users
Subject: Re: [exim] Re: no reply to STARTTLS
Um 07:26 Uhr am 18.02.06 schrieb W B Hacker:
> Sven Hartge wrote:


>>> With fewer than ten servers running Exim, I cannot say for *sure*, but
>>> with OpenSSL on FreeBSD this has never been an issue for us with Exim,
>>> Qmail, Courier-MTA, DBMail, several IMAP/POP daemons, or anything else
>>> that uses SSL/TLS/or SSH.


>> *BSD behaves different than Linux > 2.6.11


> For which I am eternally grateful!
>
> Just lazy, I guess. ;-)
>
> > so you are comparing apples and lemons.
>
> No. Volume of juice.


I meant "different in the way they manage their entropy pools". Thie
"wise" Linux developers decided to change the entropy-gathering-thingy
inside to kernel in such ways, a normals headless server generates only
about 1 bit/second of entropy, which is _way_ to low. Right now I am
patching the kernel code to readd as much entropy sources, even the onces
considered unsafe (such as the irqs of network interface cards) to keep my
servers alive. (and also recompiling exim with openssl instead of gnutls).

But this is becoming Off-Topic.

>> Also gnutls uses far more entropy than openssl.


> Sounds advantageous, security-wise, on the face of it.
> - Providing it doesn't break in some other way...
>
> ...as the OP seems to have found...


The problematic combination is Linux >2.6.11, exim4.50 and GnuTLS.



--
Sven Hartge -- professioneller Unix-Geek
Meine Gedanken im Netz: http://www.svenhartge.de/

Achtung, neue Mail-Adresse: sven@???