Am 22.12.2014 um 12:46 schrieb Yves Goergen:
> * A certificate hash with SHA-512 is not fine. I need to use SHA-256
> instead.
Sorry for spamming, but now it seems obvious that it must fail. GnuTLS
2.12 simply does not support SHA-512 certificates. Since CAcert seems to
have started issuing those, the web is full of bug reports. And they
also say that there's no meaningful error message on either side.
Because Ubuntu 14.04 with long-term support until early 2019 doesn't
have a newer version, we can't expect SHA-512 certificates to work for a
long time. Debian also seems to be affected for one more year.
Why does Exim use GnuTLS by default anyway? Most services use OpenSSL.
And doesn't using two SSL implementations mean that I'm vulnerable to
issues of both, instead of just one? At least I don't see how diversity
helps survive in this case.
--
Yves Goergen
http://unclassified.de
http://dev.unclassified.de
