On 2009-06-22 at 15:16 +0200, Heiko Schlittermann wrote:
> It seems to depend on the size of the file used in
> `tls_verify_certificates'. (Not sure if it depends on the plain size or
> on the number of certificates or whatever parameter. With an quite old
> file (Debian etch, 103 certs, about 152kB) everything works as expected,
> with a new one (Debian lenny - 143 certs, about 221kB) the above
> mentioned problems arise.
>
> May be someone with some background knowledge about the SSL handshake
> could tell us the real limit (number of certs, size of certs, ...?)
> It does not seem to be a GNU-TLS issue, since the Outlook client droppes
> the connection too. (Or Outlook uses the GNU-TLS libs?)
(1) Does your new cert use a newer algorithm than MD5 or SHA1? Are you
sure the client supports that, if so?
(2) https://savannah.cern.ch/bugs/?48458
http://rt.openssl.org/Ticket/Display.html?id=1949&user=guest&pass=guest
There's currently some issue when there are a "lot" of CAs
configured and client-side certificate verification is requested.
-Phil
