On 2012-05-27 at 04:35 +0200, Wolfgang Breyha wrote:
> Reading ... comprehending ... two different things. Sorry. I read about the
> MD5 certs several times and didn't check the state of my quite old one.
>
> It was a MD5 cert. I made a new one and gnutls-cli instantly worked.
*phew*
So gnutls-cli would have been failing, whether Exim was using OpenSSL or
GnuTLS.
I've written a new FAQ to be bundled with the release in the doc/ dir.
I'll post about it to -users shortly:
http://git.exim.org/exim.git/blob/HEAD:/doc/doc-txt/GnuTLS-FAQ.txt
There's probably text in that which can usefully make it into the
Specification too.
> To get thunderbird working I had to remove the gnutls-params file in
> exims spool directory, too.
This is strange. Exim should have been using a file named
"gnutls-params-2236", for the number of bits in the file.
Oh crap. I know what it is. GnuTLS generates *approximately* the
number of bits requested, and can go over. OpenSSL is more exact, but
takes significantly longer.
Crap crap crap. I'll lower the default value of tls_dh_max_bits, so
that even when generation goes over, the count will *probably* only be
2236 and NSS will work.
You probably had a 2237 bit key in the file.
-Phil