Bug #222
TLS Certificate generation takes ages
0%
Description
When generating the TLS certificate using prelude-adduser, the generation of the certificate takes between 2 and 30 minutes, depending on the kernel and gnutls version.
Tracing the processes shows that, for an unknown reason, [[GnuTLS]] is using /dev/random instead of /dev/urandom (both exist on the test system)
This is more a [[GnuTLS]] problem, yet maybe there is a function which can be called to set the random parameters ?
History
#1 Updated by Yoann VANDOORSELAERE almost 17 years ago
- Status changed from New to Closed
- Resolution set to wontfix
Unfortunately, the problem lie in Gcrypt and there is currently no way of working it around except from generating activity on the machine where key generation occur:
dd if=/dev/zero of=/tmp/tmp.blah
Is reported to work well.
There are ongoing discussions on way of improving this issue on the [[GnuTLS]] mailing list, and we hope that a solution will be adopted in the near future.
#2 Updated by over 15 years ago
In order to accelerate the generation process, one can recur to the instructions on: https://trac.prelude-ids.org/wiki/Misc/Entropy
In a debian system:
aptitude install rng-tools
vi /etc/default/rng-tools
Add the following lines to the configuration file
HRNGDEVICE=/dev/urandom
RNGDOPTIONS="-W 80% -t 20"
Start the entropy generator:
/etc/init.d/rng-tools start
The RSA private key generation should happen very quickly. BUT, as the /dev/urandom is not a real rng, of course there are all the problems related to the randomness of the generated numbers, entropy, etc. Beware! If you don't know what is it, then don't do it.
#3 Updated by admin admin over 15 years ago
Now, correctly formatted (sorry!)
In order to accelerate the generation process, one can recur to the instructions on https://trac.prelude-ids.org/wiki/Misc/Entropy
In a debian system:
aptitude install rng-tools vi /etc/default/rng-tools
Add the following lines to the configuration file
HRNGDEVICE=/dev/urandom RNGDOPTIONS="-W 80% -t 20"
Start the entropy generator:
/etc/init.d/rng-tools start
The RSA private key generation should happen very quickly. BUT, as the /dev/urandom is not a real rng, of course there are all the problems related to the randomness of the generated numbers, entropy, etc. Beware! If you don't know what is it, then don't do it.
#4 Updated by Yoann VANDOORSELAERE about 15 years ago
- Project changed from PRELUDE SIEM to Prelude Manager
- Category deleted (
3)