Autor: Jeremy Harris Datum: To: exim-users Betreff: Re: [exim] gnutls tester wanted
On 22/09/14 14:57, Viktor Dukhovni wrote: > On Fri, Sep 19, 2014 at 04:11:31PM +0100, Jeremy Harris wrote:
>
>> Mind, I think I see an issue in the openssl implementation;
>> does anyone actually use it? I *think* the only advertised
>> acceptable CAs are those from a file, not from a dir...
>
> Lots of people use CApath with OpenSSL. You need to run c_rehash,
> and be mindful of the fact that the hash symlinks are different
> for OpenSSL 0.9.x vs. 1.0.0 and later. Some versions of c_rehash
> generate both.
I was concerned about exim's usage, not the OpenSSL library per se.
It turns out that both OpenSSL and GnuTLS intentionally violate
the letter of the standard in the relevant area (the list of
acceptable CAs for client certificates that the server sends);
hence the apparent failing of the exim usage is possibly moot
(depending on whether other SSL libraries also ignore the
list as received at the client).
--
Cheers,
Jeremy