Package: ekeyd-egd-linux Version: 1.1.1-1 I am attempting to use ekeyd-egd-linux (and ekeyd) with stunnel. I have it working, with a "server" stunnel sitting in front of ekeyd and a "client" stunnel that egd talks to. But there are problems on startup since stunnel and ekeyd-egd-linux both want to start at runlevel 3 priority S20. If egd is configured to use the stunnel and starts before stunnel (which it does due to sort order) then it fails to start.
One possibility is to move egd to a higher priority, but then that might mean that it's starting after other things at S20 that would benefit from increased entropy (especially those that seed their own RNGs). Some potentially affected services: S16ssh (before egd) S20openvpn S20postfix S20saslauthd I don't know how big a problem this would be, hopefully the system still has plenty of entropy at that point and these services wouldn't need much. But it's hard to say without measuring. BTW: ekeyd itself doesn't have this problem since stunnel sits in front of it rather than the other way around. If ekeyd is up before the stunnel that remote services are configured to use, there's no problem. In the case where egd is pointing at an ekeyd on the same system, it might also be good to have some separation between them. I suspect it works right now since they sort alphabetically. In addition to the sysv priorities, there is also the LSB dependencies that newer init systems use. I don't think you'd want to setup any dependencies there, since it doesn't apply to all cases: 1) while you might have ekeyd and egd on the same system, we don't know that egd is configured to point at the local ekeyd 2) egd shouldn't depend on stunnel because it's not always going to be configured to use stunnel I thought about the possibility of moving stunnel to S19, but it uses inetd and openbsd-inetd runs at S20 (and again I guess this works due to sort order). In summary: This problem might be able to be solved for egd-over-stunnel on sysv init systems by moving egd to S21. For dependency based init systems I don't know if it can be solved in the init system, except by having the sysadmin adjust things by hand. OK now that I have said all that, there might be a better solution: have egd retry the server if it can't reach it, both at first but also if it loses the connection (it appears to fail in both cases currently) Native support for SSL (#576385) would also solve this bug. Thanks, -- Matt Taggart [email protected] -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
