Re: [exim-dev] 4.80 final?

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MPhil Pennock at <-
MWolfgang Breyha at ->
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Wolfgang Breyha, Jeremy Harris, exim-dev
Subject: Re: [exim-dev] 4.80 final?
On 2012-05-26 at 20:23 -0400, Phil Pennock wrote:
> For clarity, you're saying:
> * everything works using OpenSSL as Exim's TLS provider
> * problems with GnuTLS as Exim's TLS provider
> * no problem with openssl s_client against Exim/GnuTLS
> * problem with gnutls-cli and thunderbird against Exim/GnuTLS
>
> Are you using an MD5-based self-signed certificate? Remember that
> GnuTLS no longer supports MD5 in certificates, since they've been proven
> to be broken in real world practical attacks.
>
> If not, does Exim 4.77 built against the same GnuTLS library work?
>
> If it does not work in Exim 4.77 then there has been no regression and
> there's a problem with how GnuTLS was built on your system.
>
> If it is MD5 as a cause, I welcome a code suggestion for detecting this
> and providing better diagnostics.

Oh, and because you're using GnuTLS 2.x, an EOF is reported as a packet
of unexpected length. With GnuTLS 3.x, there's a separate error-code
for EOF.

So I strongly suspect that you're using an MD5-based cert, the GnuTLS
client is rejecting it for being MD5-based, the client drops the
connection, the server reports a packet of unexpected length, that being
the string from gnutls_strerror() for the error code returned in
GnuTLS 2.

If it's not an MD5 cert, but it's still a client policy rejection, then
the same applies.

-Phil

This message was posted to the following mailing lists:
Exim-dev
Mailing List Info | Nearby Messages		<-Re: [exim-dev] 4.80 final?Re: [exim-dev] 4.80 final?->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)