[Help-gnutls] Re: SMTP TLS & Thunderbird

Simon Josefsson simon at josefsson.org
Thu Feb 8 07:55:19 CET 2007


David Given <dg at cowlark.com> writes:

> Simon Josefsson wrote:
> [...]
>> That error happens if the server doesn't offer a ciphersuite that the
>> client can accept.  Often this is caused by missing X.509 CA and/or
>> server certificate.  Check with 'gnutls-cli' what key exchange is
>> negotiated.  If it is ANON, most clients will refuse to talk to you.
>> 
>> Btw, example 7.4.5 is for anonymous authentication, try 7.4.1 instead.
>> It is easy to change things, just add a X.509 credential and assign it
>> to the session.
>
> Thanks. I was rather hoping to do without --- having to create a self-signed
> certificate adds quite a lot of complexity to my install procedure --- but if
> I have to...

Many programs refuse to work if the server doesn't have a X.509
certificate, so yes, I'm afraid you'll have to add that to your
server, or modify a lot of clients.

> Incidentally, creating a private key with certtool takes several minutes.
> Doing the same with openssl req appears to be more or less instant. Is this
> normal?

Yes.  Certtool calls gcry_pk_genkey in libgcrypt, and it will read
from /dev/random which often blocks waiting for more entropy.  I
really think it should be possible to do things faster, but the Linux
kernel people appear to neglect to replace the current broken
/dev/random code with something faster and more secure.

A strace shows that OpenSSL uses /dev/urandom (and store state in
~/.rnd) for generating private keys.  That device doesn't block, and
may return data with little entropy.  If you run 'openssl genrsa -rand
file:/dev/random' it is also quite slow.

/Simon





More information about the Gnutls-help mailing list