Re: [exim] Outlook failing gnutls_handshake after resetting …

Góra strony
Delete this message
Reply to this message
Autor: Heiko Schlittermann
Data:  
Dla: exim-users
Stare tematy: Re: [exim] Outlook failing gnutls_handshake after resetting up on ubuntu 9.10
Temat: Re: [exim] Outlook failing gnutls_handshake after resetting up on ubuntu 9.10
Hello,

jwexler@??? <jwexler@???> (So 02 Mai 2010 09:19:42 CEST):
> Phil,
>
> Thank you very kindly for your help.
>
> I will look into the ciphers and gnutls_compat_mode per your direction.
>
> Additionally, I found a work around. I had originally (in 8.04 LTS) assigned
> tls_try_verify_hosts to * thereby enabling it.
> However, I had never been able to get it to do what I had been trying to do

(…)
> see that you contributed to that thread.
> http://www.mail-archive.com/exim-users@exim.org/msg33756.html It appears to
> me that something was done with tls_try_verify_hosts from between the exim4
> version in 8.04 LTS and 9.10. Thus for now I have it disabled.


If I remember well, the problem went away as soon as I reduced the
number of CA certificates on the server side. It *seems*, that exim is
sending a list of known CAs to the client (outlook) and this way exim is
flooding something on the client side. (The same happend with older
GNUTLS clients).

Switching off the tls_verify_hosts option seems to suppress sending this
list (and as long as you do not expect a cert from the client, nobody
needs this).

OTOH you could point exim to some short list of CA certs (normally just
a list of CA you expect as signer of the client certificates).

I'd like to know if this helped (reducing the list)

--
Heiko