Re: [exim-dev] 4.80 final?

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Wolfgang Breyha
CC: exim-dev, Jeremy Harris
Subject: Re: [exim-dev] 4.80 final?
On 2012-05-27 at 04:35 +0200, Wolfgang Breyha wrote:
> Reading ... comprehending ... two different things. Sorry. I read about the
> MD5 certs several times and didn't check the state of my quite old one.
>
> It was a MD5 cert. I made a new one and gnutls-cli instantly worked.


*phew*

So gnutls-cli would have been failing, whether Exim was using OpenSSL or
GnuTLS.

I've written a new FAQ to be bundled with the release in the doc/ dir.
I'll post about it to -users shortly:
http://git.exim.org/exim.git/blob/HEAD:/doc/doc-txt/GnuTLS-FAQ.txt

There's probably text in that which can usefully make it into the
Specification too.

> To get thunderbird working I had to remove the gnutls-params file in
> exims spool directory, too.


This is strange. Exim should have been using a file named
"gnutls-params-2236", for the number of bits in the file.

Oh crap. I know what it is. GnuTLS generates *approximately* the
number of bits requested, and can go over. OpenSSL is more exact, but
takes significantly longer.

Crap crap crap. I'll lower the default value of tls_dh_max_bits, so
that even when generation goes over, the count will *probably* only be
2236 and NSS will work.

You probably had a 2237 bit key in the file.

-Phil