Re: tlsa for smtp to @bugs.debian.org
>>>>> "KR" == Kurt Roeckx <email@example.com> writes:
KR> A self-signed cert's signature algorithm really isn't that
KR> important. You either trust that cert or you don't. Which
KR> is why openssl started to ignore this for root CAs. I'm not
KR> sure what gnutls does with it.
Thanks. That is most reasonable.
Empirically, the version of gnutls in wheezy does care about the self
sig on the root cert when presented with a tls client cert chain where
it (the tls server) is not configured to trust the chain's root, the
root's self sig is md5 and the ee cert's sig is sha256.
In this case, the tls server does not require a trusted client cert,
but notes the presence of such certs.
So, the ONLY think gnutls objected to in the case was that the presented
client cert chain had a root-self-sig using MD5.
I will send a note to gnutls-devel about it.
And one to postfix-devel suggesting that if the tls nego fails just
after offering a client cert, that it retry w/o the client cert.
I've worked around the problem locally by offering a different cert
when sending mail.
James Cloos <firstname.lastname@example.org> OpenPGP: 1024D/ED7DAEA6