Bug#446036: exim4: please compile against openssl instead of gnutls

Stephen Gran sgran at debian.org
Sat Mar 28 20:48:24 UTC 2009 

This one time, at band camp, Simon Josefsson said:
> Hi!  I'm commenting one thing only in this post, prompted by
> <http://lists.gnu.org/archive/html/gnutls-devel/2008-01/msg00004.html>.
> 
> > and most importantly for me, openssl actually supports full
> > certificate chain lookups, so you can be guaranteed that this cert was
> > signed was signed by that ca.  gnutls does not, to the best of my
> > knowledge.
> 
> That is not true.  GnuTLS can verify that the client certificate chains
> back to the CA, and has been doing so for a long time (before I became
> GnuTLS maintainer).  Naturally, the application needs to do the right
> thing to trigger that feature, but there are examples and documentation
> on how to do it.  I looked in the source for exim4 in src/tls-gnu.c
> which contains:

I spoke imprecisely, and for that I'm sorry.  I meant that when exim is 
compiled against openssl, it can be pointed to a directory of hashed
certs and it will perform validation against certs found there.  gnutls
does not seem to have this ability, to the best of my knowledge, and you
have to instead manually include the ca.crts you are interested in a
file.  This may be a limitation of the parts of the gnutls API that exim
exposes, but I was under the impression this is a limitation of gnutls.

I remember some issues getting CRLs to work with exim and gnutls, but
that may have either been an error in the exim implementation or an
error on my part - gnutls would not be very useful if it couldn't handle
revocations.

Cheers,
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran at debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20090328/20607ef5/attachment.pgp

More information about the Pkg-exim4-maintainers mailing list