Re: [exim] SOLVED: Exim + (GNU)TLS + Outlook +tls_try_verify…

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: exim-users
Subject: Re: [exim] SOLVED: Exim + (GNU)TLS + Outlook +tls_try_verify_hosts
On 2009-06-22 at 15:16 +0200, Heiko Schlittermann wrote:
> It seems to depend on the size of the file used in
> `tls_verify_certificates'. (Not sure if it depends on the plain size or
> on the number of certificates or whatever parameter. With an quite old
> file (Debian etch, 103 certs, about 152kB) everything works as expected,
> with a new one (Debian lenny - 143 certs, about 221kB) the above
> mentioned problems arise.
>
> May be someone with some background knowledge about the SSL handshake
> could tell us the real limit (number of certs, size of certs, ...?)
> It does not seem to be a GNU-TLS issue, since the Outlook client droppes
> the connection too. (Or Outlook uses the GNU-TLS libs?)


(1) Does your new cert use a newer algorithm than MD5 or SHA1?  Are you
    sure the client supports that, if so?


(2) https://savannah.cern.ch/bugs/?48458
    http://rt.openssl.org/Ticket/Display.html?id=1949&user=guest&pass=guest
    There's currently some issue when there are a "lot" of CAs
    configured and client-side certificate verification is requested.


-Phil