Re: [exim-dev] Should we always load the default trust store…

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-dev
Subject: Re: [exim-dev] Should we always load the default trust store? (was: tls_verify_certificates forced failure vs. empty) string
Andreas Metzler <eximusers@???> (Do 27 Nov 2014 19:01:44 CET):

> Hello,
>
> just to add another piece of the puzzle: Last time I checked
> exim/openssl and exim/gnutls had a major difference in behavior with
> respect to tls_(try)verify_certificates: exim/GnuTLS would send the
> list of acceptable TLS certificates in the SSL handshake. If the list
> is long enough, this breaks interconnectivity.


OpenSSL sends the list of Cert names if there is passed a file name to
tls_verify_certificates.

And IMHO the peer crashed in cases where it used an older GnuTLS
version or was an older Outlook (do they use GnuTLS?).


    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: 7CBF764A -
 gnupg fingerprint: 9288 F17D BBF9 9625 5ABC  285C 26A9 687E 7CBF 764A -
(gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2  7E92 EE4E AC98 48D0 359B)-