On 2012-05-30 05:44, Janne Snabb wrote:
> This is not affecting deliveries in real life because nobody is
> using the buggy GnuTLS versions on the client side yet.
Just a correction to my previous statement:
I did start seeing some TLS handshake failures with the Debian/Ubuntu
certificate bundle and "tls_try_verify_hosts = *". So it looks like
there are few mail senders who use some of the broken GnuTLS versions.
Thus it is not a good idea to run such a setup in a production
environment. Reducing the amount of CA's or disabling
"tls_try_verify_hosts" solves the problem until we get the "don't
advertise CAs" knob in the next release :).
--
Janne Snabb / EPIPE Communications
snabb@??? -
http://epipe.com/
