[Pkg-gnutls-maint] Bug#478191: Bug#478191: Is this really the real fix, or only a workaround?

Thu May 22 15:29:22 UTC 2008

On Thu, May 22, 2008 at 05:20:21PM +0200, Simon Josefsson wrote:
> I think increasing the limit is necessary since there appeared to be
> some configurations which ran into the earlier limit.  Possibly 48kb is
> excessive, and it could be made smaller.  I think the largest handshake
> we saw in reality was 25kb.

Yes, but it is bound to grow with Debian's ca-certificates package.

> Configuring the list of ca-certificates is possible, as far as I know.
> GnuTLS doesn't do any of this, it is in the application.  I suspect exim
> is using the ca-certificates debian infrastructure.

The exim package does not do anything like that explicitly, and exim's
GnuTLS code is quite rudimentary and certainly not Debian-specific.

>   It seems some people click to trust every CA in the entire world (or
>   close to that)

That seems to be the default when installing Debian's ca-certificates
package.

> Btw, we have fixed the warning message you get when this happens,

That's very good news and will help debugging in the future..

> Possibly we could even revert back to the earlier 16kb limit, if the
> configurations with a lot of CAs are considered excessive and buggy by
> themselves.

So that would be a bug in the ca-certificates package, which I
unfortunately do not know of.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

Bitte beachten Sie, daß dem [m.E. grundgesetzwidrigen] Gesetz zur
Vorratsdatenspeicherung zufolge, seit dem 1. Januar 2008 jeglicher
elektronische Kontakt (E-Mail, Telefongespräche, SMS, Internet-
Telefonie, Mobilfunk, Fax) mit mir oder anderen Nutzern verdachts-
unabhängig für den automatisierten geheimen Zugriff durch Strafver-
folgungs- u. Polizeivollzugsbehörden, die Bundesanstalt für Finanz-
dienstleistungsaufsicht, Zollkriminal- und Zollfahndungsämter,die
Zollverwaltung zur Schwarzarbeitsbekämpfung, Notrufabfragestellen,
Verfassungsschutzbehörden, den Militärischen Abschirmdienst, Bundes-
nachrichtendienst sowie 52 Staaten wie beispielsweise Aserbeidschan
oder die USA sechs Monate lang gespeichert wird, einschließlich der
Kommunikation mit Berufsgeheimnisträgern wie Ärzten, Journalisten und
Anwälten. Mehr Infos zur totalen Protokollierung Ihrer Kommunikations-
daten auf www.vorratsdatenspeicherung.de. (leicht verändert übernommen
kopiert von www.lawblog.de)