http://www.exim.org/bugzilla/show_bug.cgi?id=390
Summary: Should optionally tempfail if no entropy available
Product: Exim
Version: 4.63
Platform: All
URL: http://bugs.debian.org/387448
OS/Version: Linux
Status: NEW
Severity: bug
Priority: medium
Component: TLS
AssignedTo: ph10@hermes.cam.ac.uk
ReportedBy: mh+exim-bugzilla@zugschlus.de
QAContact: exim-dev@exim.org
Hi,
GnuTLS is flawed because it uses up way too much entropy. Since exim on Debian
links against GnuTLS, we keep having this problem.
The issue reported to the Debian BTS in #387448 is that exim currently can be
DoSsed by opening multiple SMTP connections and issueing STARTTLS commands
there. In that situation, exim blocks and waits for more entropy.
In the opinion of the bug reporter, exim should not block but instead issue a
temporary failure to allow the remote side to continue without encryption.
Personally, I do not fully agree with the reporter here, but I have to forward
the issue upstream anyway. It would probably be an acceptable option to have
exim's behavior configurable in this regard, allowing the local admin to choose
whether to block or to issue a temp failure.
The original bug report has a lot more reasoning which I am not going to repeat
here.
Greetings
Marc
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
--
## List details at http://www.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
Summary: Should optionally tempfail if no entropy available
Product: Exim
Version: 4.63
Platform: All
URL: http://bugs.debian.org/387448
OS/Version: Linux
Status: NEW
Severity: bug
Priority: medium
Component: TLS
AssignedTo: ph10@hermes.cam.ac.uk
ReportedBy: mh+exim-bugzilla@zugschlus.de
QAContact: exim-dev@exim.org
Hi,
GnuTLS is flawed because it uses up way too much entropy. Since exim on Debian
links against GnuTLS, we keep having this problem.
The issue reported to the Debian BTS in #387448 is that exim currently can be
DoSsed by opening multiple SMTP connections and issueing STARTTLS commands
there. In that situation, exim blocks and waits for more entropy.
In the opinion of the bug reporter, exim should not block but instead issue a
temporary failure to allow the remote side to continue without encryption.
Personally, I do not fully agree with the reporter here, but I have to forward
the issue upstream anyway. It would probably be an acceptable option to have
exim's behavior configurable in this regard, allowing the local admin to choose
whether to block or to issue a temp failure.
The original bug report has a lot more reasoning which I am not going to repeat
here.
Greetings
Marc
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
--
## List details at http://www.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##