[gnutls-dev] Re: Feature request: not really random session keys

[Simon Josefsson]

Florian Weimer <fw at deneb.enyo.de> writes:

> * Werner Koch:
>
>> The same may happen with libgcrypt applications if several short
>> living processes are running (Exim?).  I am not sure whether GnuTLS
>> sets a random seed file at all.  Does it?
>
> In case of Exim, it's regeneration of the RSA_EXPORT key.  It is not
> serialized, either, so multiple Exim processes try to regenerate it
> and consume increasing amounts of entropy.

I recall the same problem in some other application.  The solution was
to have a separate process devoted to regenerate the keys, store it to
a file, and have the other processes use it.  This circumvent the
synchronization problem, which can be quite complicated, and also
guarantee that the Exim process will never block on /dev/random.  The
process that regenerate the keys can be invoked through cron.