Page MenuHomePhabricator

Ensure mailman VM setup has adequate entropy for STARTTLS
Closed, ResolvedPublic


Per Mark in T82576#902820, the blocker to enabling STARTTLS was that in the past doing so "would use up (starve) all random entropy because of the many deliveries, and then block. But with newer hardware and potentially hw RNGs, the situation may be better now. We can test it again."

It is possible that no action is explicitly needed, if there is a hardware RNG on the virtualization host and if the individual VMs are able to utilize it as a source for entropy. If this is not the case, one possible solution would be to have haveged running on the virtualization host and the virtio-rng kernel module loaded in guests.

Event Timeline

ori created this task.Aug 16 2015, 10:06 PM
ori assigned this task to Dzahn.
ori raised the priority of this task from to High.
ori updated the task description. (Show Details)
ori added subscribers: ori, MZMcBride, Dzahn and 5 others.
Dzahn added a comment.Aug 18 2015, 1:05 AM

re: hardware RNG:

< Dagmar> mutante: Ask they guy running the VM host. If he starts laughing halfway through your question, that hardware isn't present

< Dagmar> Mainly it's only IBM's ESX hosts that will

< Dagmar> When in doubt, stuff the output of dmesg into /dev/urandom along with a few lines of free verse poetry

< Dagmar> It's also very easy to come up with some "mostly random crap" to seed the system's entropy pool with

< barfod> instead rely on more advanced functions like arc4random()

< Dagmar> barfod: Dude I've used /dev/mic and burped into it

cajoel gave hardware RNGs to Faidon and Mark, not sure if we'll need them yet

faidon closed this task as Resolved.Sep 21 2015, 11:47 AM

fermium now has TLS now and I've been watching /proc/sys/kernel/random/entropy_avail. I don't see any issues with entropy so far. I think these entropy-depleting exim issues are GnuTLS bugs of the past and not applicable to modern systems.