Bug#446036: exim4: please compile against openssl instead of gnutls

Simon Josefsson simon at josefsson.org
Tue Mar 31 09:31:39 UTC 2009 

Stephen Gran <sgran at debian.org> writes:

> This one time, at band camp, Simon Josefsson said:
>> Hi!  I'm commenting one thing only in this post, prompted by
>> <http://lists.gnu.org/archive/html/gnutls-devel/2008-01/msg00004.html>.
>> 
>> > and most importantly for me, openssl actually supports full
>> > certificate chain lookups, so you can be guaranteed that this cert was
>> > signed was signed by that ca.  gnutls does not, to the best of my
>> > knowledge.
>> 
>> That is not true.  GnuTLS can verify that the client certificate chains
>> back to the CA, and has been doing so for a long time (before I became
>> GnuTLS maintainer).  Naturally, the application needs to do the right
>> thing to trigger that feature, but there are examples and documentation
>> on how to do it.  I looked in the source for exim4 in src/tls-gnu.c
>> which contains:
>
> I spoke imprecisely, and for that I'm sorry.  I meant that when exim is 
> compiled against openssl, it can be pointed to a directory of hashed
> certs and it will perform validation against certs found there.  gnutls
> does not seem to have this ability, to the best of my knowledge, and you
> have to instead manually include the ca.crts you are interested in a
> file.

Right.

> This may be a limitation of the parts of the gnutls API that exim
> exposes, but I was under the impression this is a limitation of
> gnutls.

It is intentional, not a limitation.  The method to use a directory with
hashed certs is specific to OpenSSL.  The GnuTLS APIs allows you to
implement that model, if you really want to: use readdir to list the
files in the directory, and decide whether to parse and trust each file
as a CA cert.  Be sure to compare this with OpenSSL's documentation on
how hashed directories are intended to work, maybe you shouldn't trust
all file in that directory.

> I remember some issues getting CRLs to work with exim and gnutls, but
> that may have either been an error in the exim implementation or an
> error on my part - gnutls would not be very useful if it couldn't handle
> revocations.

Please report it to us if you can reproduce it.  I don't think many
people use CRLs.

/Simon

More information about the Pkg-exim4-maintainers mailing list