Author: Phil Pennock Date: To: Wolfgang Breyha, Jeremy Harris, exim-dev Subject: Re: [exim-dev] 4.80 final?
On 2012-05-26 at 20:23 -0400, Phil Pennock wrote: > For clarity, you're saying:
> * everything works using OpenSSL as Exim's TLS provider
> * problems with GnuTLS as Exim's TLS provider
> * no problem with openssl s_client against Exim/GnuTLS
> * problem with gnutls-cli and thunderbird against Exim/GnuTLS
>
> Are you using an MD5-based self-signed certificate? Remember that
> GnuTLS no longer supports MD5 in certificates, since they've been proven
> to be broken in real world practical attacks.
>
> If not, does Exim 4.77 built against the same GnuTLS library work?
>
> If it does not work in Exim 4.77 then there has been no regression and
> there's a problem with how GnuTLS was built on your system.
>
> If it is MD5 as a cause, I welcome a code suggestion for detecting this
> and providing better diagnostics.
Oh, and because you're using GnuTLS 2.x, an EOF is reported as a packet
of unexpected length. With GnuTLS 3.x, there's a separate error-code
for EOF.
So I strongly suspect that you're using an MD5-based cert, the GnuTLS
client is rejecting it for being MD5-based, the client drops the
connection, the server reports a packet of unexpected length, that being
the string from gnutls_strerror() for the error code returned in
GnuTLS 2.
If it's not an MD5 cert, but it's still a client policy rejection, then
the same applies.