[Help-gnutls] Re: SMTP TLS & Thunderbird
Simon Josefsson
simon at josefsson.org
Thu Feb 8 07:55:19 CET 2007
David Given <dg at cowlark.com> writes:
> Simon Josefsson wrote:
> [...]
>> That error happens if the server doesn't offer a ciphersuite that the
>> client can accept. Often this is caused by missing X.509 CA and/or
>> server certificate. Check with 'gnutls-cli' what key exchange is
>> negotiated. If it is ANON, most clients will refuse to talk to you.
>>
>> Btw, example 7.4.5 is for anonymous authentication, try 7.4.1 instead.
>> It is easy to change things, just add a X.509 credential and assign it
>> to the session.
>
> Thanks. I was rather hoping to do without --- having to create a self-signed
> certificate adds quite a lot of complexity to my install procedure --- but if
> I have to...
Many programs refuse to work if the server doesn't have a X.509
certificate, so yes, I'm afraid you'll have to add that to your
server, or modify a lot of clients.
> Incidentally, creating a private key with certtool takes several minutes.
> Doing the same with openssl req appears to be more or less instant. Is this
> normal?
Yes. Certtool calls gcry_pk_genkey in libgcrypt, and it will read
from /dev/random which often blocks waiting for more entropy. I
really think it should be possible to do things faster, but the Linux
kernel people appear to neglect to replace the current broken
/dev/random code with something faster and more secure.
A strace shows that OpenSSL uses /dev/urandom (and store state in
~/.rnd) for generating private keys. That device doesn't block, and
may return data with little entropy. If you run 'openssl genrsa -rand
file:/dev/random' it is also quite slow.
/Simon
More information about the Gnutls-help
mailing list