help-gnutls
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Help-gnutls] Re: SMTP TLS & Thunderbird

From: Simon Josefsson
Subject: [Help-gnutls] Re: SMTP TLS & Thunderbird
Date: Thu, 08 Feb 2007 07:55:19 +0100
User-agent: Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.93 (gnu/linux) 
David Given <address@hidden> writes:

> Simon Josefsson wrote:
> [...]
>> That error happens if the server doesn't offer a ciphersuite that the
>> client can accept.  Often this is caused by missing X.509 CA and/or
>> server certificate.  Check with 'gnutls-cli' what key exchange is
>> negotiated.  If it is ANON, most clients will refuse to talk to you.
>> 
>> Btw, example 7.4.5 is for anonymous authentication, try 7.4.1 instead.
>> It is easy to change things, just add a X.509 credential and assign it
>> to the session.
>
> Thanks. I was rather hoping to do without --- having to create a self-signed
> certificate adds quite a lot of complexity to my install procedure --- but if
> I have to...

Many programs refuse to work if the server doesn't have a X.509
certificate, so yes, I'm afraid you'll have to add that to your
server, or modify a lot of clients.

> Incidentally, creating a private key with certtool takes several minutes.
> Doing the same with openssl req appears to be more or less instant. Is this
> normal?

Yes.  Certtool calls gcry_pk_genkey in libgcrypt, and it will read
from /dev/random which often blocks waiting for more entropy.  I
really think it should be possible to do things faster, but the Linux
kernel people appear to neglect to replace the current broken
/dev/random code with something faster and more secure.

A strace shows that OpenSSL uses /dev/urandom (and store state in
~/.rnd) for generating private keys.  That device doesn't block, and
may return data with little entropy.  If you run 'openssl genrsa -rand
file:/dev/random' it is also quite slow.

/Simon
reply via email to
[Prev in Thread] Current Thread [Next in Thread]