Re: [exim-dev] Big CA certificate bundle causes problems wit…

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-dev
Subject: Re: [exim-dev] Big CA certificate bundle causes problems with GnuTLS 3.0.11
Janne Snabb <snabb@???> (Di 05 Jun 2012 08:25:48 CEST):
> On 2012-05-30 05:44, Janne Snabb wrote:
> > This is not affecting deliveries in real life because nobody is
> > using the buggy GnuTLS versions on the client side yet.
>
> Just a correction to my previous statement:
>
> I did start seeing some TLS handshake failures with the Debian/Ubuntu
> certificate bundle and "tls_try_verify_hosts = *". So it looks like
> there are few mail senders who use some of the broken GnuTLS versions.
>
> Thus it is not a good idea to run such a setup in a production
> environment. Reducing the amount of CA's or disabling
> "tls_try_verify_hosts" solves the problem until we get the "don't
> advertise CAs" knob in the next release :).


Just for the records, I think the problem is already known for some
time:

http://thread.gmane.org/gmane.network.gnutls.general/1688
http://thread.gmane.org/gmane.mail.exim.user/83688
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=478191

(If I remember well, then even Microsoft Products used a "broken version
of GnuTLS", or at least exposed the same behaviour…)

--
Heiko :: dresden : linux : SCHLITTERMANN.de
GPG Key 48D0359B : 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B