Bug#446036: exim4: please compile against openssl instead of gnutls

[Simon Josefsson]

Hi!  I'm commenting one thing only in this post, prompted by
<http://lists.gnu.org/archive/html/gnutls-devel/2008-01/msg00004.html>.

> and most importantly for me, openssl actually supports full
> certificate chain lookups, so you can be guaranteed that this cert was
> signed was signed by that ca.  gnutls does not, to the best of my
> knowledge.

That is not true.  GnuTLS can verify that the client certificate chains
back to the CA, and has been doing so for a long time (before I became
GnuTLS maintainer).  Naturally, the application needs to do the right
thing to trigger that feature, but there are examples and documentation
on how to do it.  I looked in the source for exim4 in src/tls-gnu.c
which contains:

/* Called after a successful handshake, when certificate verification is
required or optional, for both server and client.

Arguments:
  session    GNUTLS session
  error      where to put text giving a reason for failure

Returns:     TRUE/FALSE
*/

static BOOL
verify_certificate(gnutls_session session, uschar **error)

The function calls the relevant gnutls function,
gnutls_certificate_verify_peers.  It looks reasonable correct, although
I did not audit the code.

My conclusion is that the feature is implemented by exim4, and if there
is any problem in this area, it would be a bug.  Can you provide more
information on what made you reach the conclusion above?

/Simon