Autor: Phil Pennock Data: Dla: exim-users Temat: Re: [exim] Exim 4.80 RC6 + GnuTLS more issues
On 2012-05-29 at 14:49 +0100, Graeme Fowler wrote: > On Tue, 2012-05-29 at 20:16 +0700, Janne Snabb wrote:
> > I am seeing some GnuTLS 3.0.x issues which I am unable to reproduce when
> > using GnuTLS 2.x. This could be a GnuTLS bug.
> >
> > On Exim 4.80 RC4 server with GnuTLS 3.0.19 as supplied by Ubuntu 12.04:
> >
> > tls_verify_vertificates = /etc/ssl/certs/ca-certificates.crt
>
> Is there, perchance, a certificate with an MD5 signature in that bundle?
The MD5 support being dropped is in GnuTLS 2.x somewhere, not new with
GnuTLS 3, and I'd only expect it to be an issue when verifying a
certificate; when presented with a list of CA certificates, the client
should just note it as not fit for use and proceed on without even
looking to see if it has a presentable client cert for that CA.
Of course, telling the world that you accept client certs issued where
the CA cert itself, or the issued certs, use MD5 when your library
itself does not support verifying them is a misconfiguration; best to
remove such certs anyway.
The client could use --priority NORMAL:%VERIFY_ALLOW_SIGN_RSA_MD5 to see
if that helps.