[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tlsa for smtp to @bugs.debian.org

>>>>> "Md" == Marco d'Itri <md@Linux.IT> writes:

Md> Maybe it is related to this?

Md> http://www.postfix.org/announcements/postfix-2.10.2.html

It is related, but different.

The root problem (pardon the pun) is that cacert's root certificate is
signed with md5 and gnutls doesn't like that.

When I use gnutls-cli to connect and submit the cert as a client cert,
gnutls submits /only/ the ee cert.  Openssl's s_client also sends the
signing cert.

When buxtehude's gnutls sees the md5-signed root cert it aborts the
negotiation.

The problem in the referenced URI is that gnutls refuses to tolerate
a less secure DH key size.  Here, gnutls refuses to tolerate a less
secure hash algorithm.

It should be possible to use smtp_tls_policy_maps to disable sending a
client cert for the affected host(s).

-JimC
-- 
James Cloos <cloos@jhcloos.com>         OpenPGP: 1024D/ED7DAEA6
Reply to: