[Pkg-gnutls-maint] Bug#478191: Bug#478191: Is this really the real fix, or only a workaround?
Simon Josefsson
simon at josefsson.org
Thu May 22 15:41:50 UTC 2008
Marc Haber <mh+debian-bugs at zugschlus.de> writes:
> On Thu, May 22, 2008 at 05:20:21PM +0200, Simon Josefsson wrote:
>> I think increasing the limit is necessary since there appeared to be
>> some configurations which ran into the earlier limit. Possibly 48kb is
>> excessive, and it could be made smaller. I think the largest handshake
>> we saw in reality was 25kb.
>
> Yes, but it is bound to grow with Debian's ca-certificates package.
Only if the ca-certificates package have a default so that users trust
all CAs in the package.
>> Configuring the list of ca-certificates is possible, as far as I know.
>> GnuTLS doesn't do any of this, it is in the application. I suspect exim
>> is using the ca-certificates debian infrastructure.
>
> The exim package does not do anything like that explicitly, and exim's
> GnuTLS code is quite rudimentary and certainly not Debian-specific.
Doesn't the debian exim packaging or TLS instructions lead to exim4
using the CAs in ca-certificates as the trusted CA? I wouldn't think
that upstream exim4 pointed administrators towards debian specific files
(although I don't know how this stuff is intended to work).
I think there is an element of debian-specific configuration or
documentation that makes this situation happen.
>> It seems some people click to trust every CA in the entire world (or
>> close to that)
>
> That seems to be the default when installing Debian's ca-certificates
> package.
That would be the problem then: either that, or exim4 shouldn't by
default request a client certificate (which triggers sending the list of
trusted CAs).
>> Possibly we could even revert back to the earlier 16kb limit, if the
>> configurations with a lot of CAs are considered excessive and buggy by
>> themselves.
>
> So that would be a bug in the ca-certificates package, which I
> unfortunately do not know of.
It would be useful to bring this up with the maintainers of
ca-certificates to understand why this is the case.
/Simon
More information about the Pkg-gnutls-maint
mailing list