Re: [exim-dev] Big CA certificate bundle causes problems wit…

Top Page
Delete this message
Reply to this message
Author: Janne Snabb
Date:  
To: exim-dev
Subject: Re: [exim-dev] Big CA certificate bundle causes problems with GnuTLS 3.0.11
On 2012-05-30 05:11, Phil Pennock wrote:
> On 2012-05-30 at 04:45 +0700, Janne Snabb wrote:
>> Do we need "gnutls_certificate_send_x509_rdn_sequence(session, knob)" in
>> the GnuTLS server side initialization and a corresponding configuration
>> knob. How does OpenSSL behave in this regard?
>
> Oh, I deleted from my previous reply the text about "I think I remember
> reading about a knob to do this in GnuTLS but I can't find it right
> now".
>
> OpenSSL: if you use a directory, it does not send the server CAs. If
> you use a file, it does.
>
> For GnuTLS, this is not a change in behaviour, not a regression, so
> adding this would be a feature enhancement which can go into 4.81.


I agree. There is enough RCs already :). This is not affecting
deliveries in real life because nobody is using the buggy GnuTLS
versions on the client side yet.

Most random SMTP speakers have certificates which are not signed by any
well-known money-making CA, with some notable exceptions (such as
Google). Thus the verification of random SMTP speakers against "all"
CAs is quite pointless and therefore can be disabled easily if needed.

> The option might be useful, yes. This
> sending-of-list-of-CAs-we-might-trust to the client is part of why I
> always use directory mode with OpenSSL. We should let GnuTLS folks get
> the same protection.


I suppose it should be also expanded in tls_expand_session_files()
because the set of acceptable CAs may change depending on circumstances.
(Typical usage case: try to verify against "all" CAs on port 25 to see
if they paid to a CA (but do not advertise all of them) and require
verify against internal CA on port 587 (and advertise it so that the
client can pick the right certificate).)

--
Janne Snabb / EPIPE Communications
snabb@??? - http://epipe.com/