Package: exim4 Version: 4.63-3 Severity: important I know this has been reported before to death [since gnutls is being used], but I will just add another twist, since I'm tired of rebuilding exim with OpenSSL manually.
GnuTLS drains the entropy pool much more quickly than OpenSSL. On server systems without hardware generators, /dev/random drains very quickly, meaning that exim will often block. But exim should NOT block, or even wait, in STARTTLS. It is possible to make the system drain its entropy and then issue several connections all waiting in STARTTLS, until the maximal number of connection is reached. Combine this with the fact that it is possible to maintain the connection alive for eternity with a SO_KEEPALIVE connection, and also exim doesn't seem to terminate the process when the connection is closed in this state, and you get very easy denial of service which will refuse all further (including normal) connections. This is a bug in exim. exim should NOT block in STARTTLS. keys must be generated in background or by other means, and the unavailability of data at STARTTLS should generate and immediate temporary failure to avoid other DOS conditions. -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.9-ac11 Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages exim4 depends on: ii exim4-base 4.63-3 support files for all exim MTA (v4 ii exim4-daemon-light 4.63-3 lightweight exim MTA (v4) daemon exim4 recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]