Re: [exim-dev] Big CA certificate bundle causes problems wit…

トップ ページ
このメッセージを削除
このメッセージに返信
著者: Janne Snabb
日付:  
To: exim-dev
題目: Re: [exim-dev] Big CA certificate bundle causes problems with GnuTLS 3.0.11
On 2012-05-30 05:44, Janne Snabb wrote:
> This is not affecting deliveries in real life because nobody is
> using the buggy GnuTLS versions on the client side yet.


Just a correction to my previous statement:

I did start seeing some TLS handshake failures with the Debian/Ubuntu
certificate bundle and "tls_try_verify_hosts = *". So it looks like
there are few mail senders who use some of the broken GnuTLS versions.

Thus it is not a good idea to run such a setup in a production
environment. Reducing the amount of CA's or disabling
"tls_try_verify_hosts" solves the problem until we get the "don't
advertise CAs" knob in the next release :).

--
Janne Snabb / EPIPE Communications
snabb@??? - http://epipe.com/