Bug#446036: exim4: please compile against openssl instead of gnutls
Simon Josefsson
simon at josefsson.org
Tue Mar 31 09:31:39 UTC 2009
Stephen Gran <sgran at debian.org> writes:
> This one time, at band camp, Simon Josefsson said:
>> Hi! I'm commenting one thing only in this post, prompted by
>> <http://lists.gnu.org/archive/html/gnutls-devel/2008-01/msg00004.html>.
>>
>> > and most importantly for me, openssl actually supports full
>> > certificate chain lookups, so you can be guaranteed that this cert was
>> > signed was signed by that ca. gnutls does not, to the best of my
>> > knowledge.
>>
>> That is not true. GnuTLS can verify that the client certificate chains
>> back to the CA, and has been doing so for a long time (before I became
>> GnuTLS maintainer). Naturally, the application needs to do the right
>> thing to trigger that feature, but there are examples and documentation
>> on how to do it. I looked in the source for exim4 in src/tls-gnu.c
>> which contains:
>
> I spoke imprecisely, and for that I'm sorry. I meant that when exim is
> compiled against openssl, it can be pointed to a directory of hashed
> certs and it will perform validation against certs found there. gnutls
> does not seem to have this ability, to the best of my knowledge, and you
> have to instead manually include the ca.crts you are interested in a
> file.
Right.
> This may be a limitation of the parts of the gnutls API that exim
> exposes, but I was under the impression this is a limitation of
> gnutls.
It is intentional, not a limitation. The method to use a directory with
hashed certs is specific to OpenSSL. The GnuTLS APIs allows you to
implement that model, if you really want to: use readdir to list the
files in the directory, and decide whether to parse and trust each file
as a CA cert. Be sure to compare this with OpenSSL's documentation on
how hashed directories are intended to work, maybe you shouldn't trust
all file in that directory.
> I remember some issues getting CRLs to work with exim and gnutls, but
> that may have either been an error in the exim implementation or an
> error on my part - gnutls would not be very useful if it couldn't handle
> revocations.
Please report it to us if you can reproduce it. I don't think many
people use CRLs.
/Simon
More information about the Pkg-exim4-maintainers
mailing list