Re: tlsa for smtp to @bugs.debian.org
>>>>> "Md" == Marco d'Itri <md@Linux.IT> writes:
Md> Maybe it is related to this?
It is related, but different.
The root problem (pardon the pun) is that cacert's root certificate is
signed with md5 and gnutls doesn't like that.
When I use gnutls-cli to connect and submit the cert as a client cert,
gnutls submits /only/ the ee cert. Openssl's s_client also sends the
When buxtehude's gnutls sees the md5-signed root cert it aborts the
The problem in the referenced URI is that gnutls refuses to tolerate
a less secure DH key size. Here, gnutls refuses to tolerate a less
secure hash algorithm.
It should be possible to use smtp_tls_policy_maps to disable sending a
client cert for the affected host(s).
James Cloos <email@example.com> OpenPGP: 1024D/ED7DAEA6