On Sun, Nov 10, 2013 at 05:05:10AM -0500, Phil Pennock wrote:
> Per the Exim README.UPDATING notes around GnuTLS changes in 4.80:
> ----------------------------8< cut here >8------------------------------
> Note that by default, GnuTLS will not accept RSA-MD5 signatures in chains.
> A tls_require_ciphers value of NORMAL:%VERIFY_ALLOW_SIGN_RSA_MD5 may
> re-enable support, but this is not supported by the Exim maintainers.
> Our test suite no longer includes MD5-based certificates.
> ----------------------------8< cut here >8------------------------------
>
> In more detail: Exim used to use very low-level controlling primitives
> for GnuTLS, in what is now a deprecated API, because Exim was one of the
> first applications to use that library and the support for better
> control by GnuTLS itself wasn't there. So Exim continued to
> force-enable MD5 long past its best-before date. When we switched to
> GnuTLS's higher-level API, we got significantly expanded ciphersuite
> support, more sophisticated controls, and lost MD5 being silently
> supported. I decided to regard this as a feature, and documented it,
> instead of fighting it.
Thanks Phil, I sure missed that. Ideally that's also the kind of stuff
the debian folks put in changelogs you should look at, but obviously
this one got missed since it must have seemed minor.
It's too bad that there isn't a better way to pass the error to the user
since this one is definitely "hidden".
Obviously, my not really secure but better than plaintext self cert is
very old now and could use being re-created, so I'll do that now.
Thanks,
Marc
--
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems ....
.... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/ | PGP 1024R/763BE901