On Tue, Dec 29, 2009 at 11:44:01AM -0500, Wietse Venema wrote:
> Is Postfix is still the default MTA? If so then it is surprising
> than this /dev/urandom bug was not found during testing.
On my current 10.5 system, yes Postfix is still the default MTA, but:
$ /usr/sbin/postconf -d tls_random_source
tls_random_source =
So Apple may have worked-around the inconvenient security feature. :-(
The first call to RAND_bytes() in OpenSSL will (it seems after a
quick read of OpenSSL source code) call RAND_poll() once which reads
"/dev/urandom", via poll() on Linux systeme and select() on other
Unix-like systems...
So disabling all entropy gathering in tls_mgr() is perhaps not
catastrophic, but it is not a good idea.
> Allowing /dev/*random to block Postfix is not a good idea, because
> these reads are done by a single tlsmgr process.
Yes.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
