TLS failed, service in BUSY state, terminated abnormally
Clement Hermann (nodens)
nodens2099 at gmail.com
Mon Sep 6 19:26:21 EDT 2010
Le 06/09/2010 23:46, Bron Gondwana a écrit :
> On Mon, Sep 06, 2010 at 11:42:38AM +0200, "Clément Hermann (nodens)" wrote:
>> Le 06/09/2010 11:26, Ethariel a écrit :
>>> Hello,
>>>
>>> auto-answering.
>>> During the upgrade process the /dev/* permission were broken. It
>>> includes /dev/urandom which I think (can someone confirm) is used by SSL.
>>
>> Actually SSL is supposed to use /dev/random which provide better
>> randomness (because of better entropy gathered via keyboards and disks,
>> or better yet, hardware RNG), less likely to be predictable than
>> /dev/urandom.
>
> That's a nice theory. Have you seen how many people have posted to this
> list about imap freezing and poor throughput that have been caused by
> using /dev/random and it blocking?
>
> On the flip side, can you provide a single example of a successful attack
> against IMAP connections secured by /dev/urandom?
>
> Denial of service is a credible threat too, and unless you actually have
> a hardware randomness generator, the threats of using /dev/random are
> generally worse than the threats of using /dev/urandom.
>
> Bron ( who doesn't like black and white advice from ivory towers! )
>
>
Well, I did said 'is supposed to', not 'always should use'. Note also
that I mentionned hardware RNG. But you're right, it is far better and
perfectly acceptable to provide service with poor entropy than bad service.
My main point was that the permission problem was likely on /dev/random
rather than on /dev/random. Sorry if it sounded like I was giving a
lecture. I guess my not so good english is to blame.
I always use /dev/urandom if I don't have hardware RNG on a busy server,
because availability is more important than protection against a very
unlikely threat, and I did have some problem under heavy load.
However, if I can, I prefer to use a hardware RNG, as it is really a
breeze to use with rng-tools. It used to be available on any server x86
motherboard, unfortunately it tends to be less frequent onboard
nowadays... Actually, if you don't want to recompile cyrus but need to
use /dev/urandom, you can use /dev/random with rng-tools using
/dev/urandom as a random source instead of the RNG device.
--
Clement Hermann (nodens)
- "L'air pur ? c'est pas en RL, ça ? c'est pas hors charte ?"
Jean in L'Histoire des Pingouins, http://tnemeth.free.fr/fmbl/linuxsf/
Vous trouverez ma clef publique sur le serveur public pgp.mit.edu.
Please find my public key on the public keyserver pgp.mit.edu.
More information about the Info-cyrus
mailing list