[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tlsa for smtp to @bugs.debian.org

On Fri, Sep 13, 2013 at 09:29:30AM -0400, James Cloos wrote:
> 
> The root problem (pardon the pun) is that cacert's root certificate is
> signed with md5 and gnutls doesn't like that.

A self-signed cert's signature algorithm really isn't that
important.  You either trust that cert or you don't.  Which
is why openssl started to ignore this for root CAs.  I'm not
sure what gnutls does with it.

> The problem in the referenced URI is that gnutls refuses to tolerate
> a less secure DH key size.  Here, gnutls refuses to tolerate a less
> secure hash algorithm.

I think gnutls by default has a minimum size of 727 for the DH
size while openssl doesn't have any check for this.  But if you're
using DH you really want to move to something like 2048 if
possible.


Kurt
Reply to: