[Pkg-gnutls-maint] Bug#478191: Bug#478191: Is this really the real fix, or only a workaround?
Marc Haber
mh+debian-bugs at zugschlus.de
Thu May 22 16:00:06 UTC 2008
On Thu, May 22, 2008 at 05:41:50PM +0200, Simon Josefsson wrote:
> Marc Haber <mh+debian-bugs at zugschlus.de> writes:
> > On Thu, May 22, 2008 at 05:20:21PM +0200, Simon Josefsson wrote:
> >> I think increasing the limit is necessary since there appeared to be
> >> some configurations which ran into the earlier limit. Possibly 48kb is
> >> excessive, and it could be made smaller. I think the largest handshake
> >> we saw in reality was 25kb.
> >
> > Yes, but it is bound to grow with Debian's ca-certificates package.
>
> Only if the ca-certificates package have a default so that users trust
> all CAs in the package.
It looks like it has.
> >> Configuring the list of ca-certificates is possible, as far as I know.
> >> GnuTLS doesn't do any of this, it is in the application. I suspect exim
> >> is using the ca-certificates debian infrastructure.
> >
> > The exim package does not do anything like that explicitly, and exim's
> > GnuTLS code is quite rudimentary and certainly not Debian-specific.
>
> Doesn't the debian exim packaging or TLS instructions lead to exim4
> using the CAs in ca-certificates as the trusted CA?
Thanks for asking again, I was tempted to answer again "not that I
know of". Actually, we set tls_verify_certificates to
/etc/ssl/certs/ca-certificates.crt which introduces the issue in the
first place.
I think that I'm going to kill the misfeature that exim asks for
client certificates by default, people do not use them anyway.
> I wouldn't think that upstream exim4 pointed administrators towards
> debian specific files (although I don't know how this stuff is
> intended to work).
>
> I think there is an element of debian-specific configuration or
> documentation that makes this situation happen.
You were right. I apologize.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190
More information about the Pkg-gnutls-maint
mailing list