Re: [exim] SOLVED: Exim + (GNU)TLS + Outlook + tls_try_verif…

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: Re: [exim] SOLVED: Exim + (GNU)TLS + Outlook + tls_try_verify_hosts
Hello Phil,

Phil Pennock <exim-users@???> (Mo 22 Jun 2009 15:37:32 CEST):
> On 2009-06-22 at 15:16 +0200, Heiko Schlittermann wrote:
> > It seems to depend on the size of the file used in
> > `tls_verify_certificates'. (Not sure if it depends on the plain size or
> > on the number of certificates or whatever parameter. With an quite old
> > file (Debian etch, 103 certs, about 152kB) everything works as expected,
> > with a new one (Debian lenny - 143 certs, about 221kB) the above
> > mentioned problems arise.
> >
> > May be someone with some background knowledge about the SSL handshake
> > could tell us the real limit (number of certs, size of certs, ...?)
> > It does not seem to be a GNU-TLS issue, since the Outlook client droppes
> > the connection too. (Or Outlook uses the GNU-TLS libs?)
>
> (1) Does your new cert use a newer algorithm than MD5 or SHA1?  Are you
>     sure the client supports that, if so?


The lists of CA certs used by the server for verification (and thus sent
to the client along with the cert request) only mentions MD5 or SHA1 as
"Signature Algorithm".

It does not seem to depend on any specific certificate. I created to
sets of CA certs used by the server for verification:

    - set A: the old list (about 103 certs)
    - set B: the delta between the old (103 certs) and the new (143 certs): 
             40 certs


And I think, if a specific cert causes the problem, the second set of CA
certs should fail. (Of course, nothing is as it seems, so probably there
are dependencies on the phase of moon and other things...)

> (2) https://savannah.cern.ch/bugs/?48458
>     http://rt.openssl.org/Ticket/Display.html?id=1949&user=guest&pass=guest
>     There's currently some issue when there are a "lot" of CAs
>     configured and client-side certificate verification is requested.


They are talking about a smaller number and about some sizes and they
think it's related to OpenSSL. I don't believe that. I'll send them some
notice.

I'll try to reproduce it using "native clients" (openssl/gnu-tls).

    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann HS12-RIPE -----------------------------------------
 gnupg encrypted messages are welcome - key ID: 48D0359B ---------------
 gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2  7E92 EE4E AC98 48D0 359B -