Re: tlsa for smtp to @bugs.debian.org
>>>>> "Md" == Marco d'Itri <md@Linux.IT> writes:
Md> Maybe it is related to this?
Md> http://www.postfix.org/announcements/postfix-2.10.2.html
It is related, but different.
The root problem (pardon the pun) is that cacert's root certificate is
signed with md5 and gnutls doesn't like that.
When I use gnutls-cli to connect and submit the cert as a client cert,
gnutls submits /only/ the ee cert. Openssl's s_client also sends the
signing cert.
When buxtehude's gnutls sees the md5-signed root cert it aborts the
negotiation.
The problem in the referenced URI is that gnutls refuses to tolerate
a less secure DH key size. Here, gnutls refuses to tolerate a less
secure hash algorithm.
It should be possible to use smtp_tls_policy_maps to disable sending a
client cert for the affected host(s).
-JimC
--
James Cloos <cloos@jhcloos.com> OpenPGP: 1024D/ED7DAEA6
Reply to: