Re: [exim-dev] 4.80 final?

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Wolfgang Breyha, Jeremy Harris, exim-dev
Subject: Re: [exim-dev] 4.80 final?
On 2012-05-26 at 20:23 -0400, Phil Pennock wrote:
> For clarity, you're saying:
> * everything works using OpenSSL as Exim's TLS provider
> * problems with GnuTLS as Exim's TLS provider
> * no problem with openssl s_client against Exim/GnuTLS
> * problem with gnutls-cli and thunderbird against Exim/GnuTLS
>
> Are you using an MD5-based self-signed certificate? Remember that
> GnuTLS no longer supports MD5 in certificates, since they've been proven
> to be broken in real world practical attacks.
>
> If not, does Exim 4.77 built against the same GnuTLS library work?
>
> If it does not work in Exim 4.77 then there has been no regression and
> there's a problem with how GnuTLS was built on your system.
>
> If it is MD5 as a cause, I welcome a code suggestion for detecting this
> and providing better diagnostics.


Oh, and because you're using GnuTLS 2.x, an EOF is reported as a packet
of unexpected length. With GnuTLS 3.x, there's a separate error-code
for EOF.

So I strongly suspect that you're using an MD5-based cert, the GnuTLS
client is rejecting it for being MD5-based, the client drops the
connection, the server reports a packet of unexpected length, that being
the string from gnutls_strerror() for the error code returned in
GnuTLS 2.

If it's not an MD5 cert, but it's still a client policy rejection, then
the same applies.

-Phil