Bug#516332: msmtp fails to connect to mail server using libgnutls26 2.6.4-2

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Feb 20 18:40:27 UTC 2009

Thanks for the report, Andy.

On 02/20/2009 12:41 PM, andy bezella wrote:
> after upgrading to libgnutls26 2.6.4-2 msmtp (1.4.16-1) is unable to connect to port 587 of our mailserver using tls.

It looks to me like your mail server is using an X.509 certificate
issued by RapidSSL using the MD5 digest algorithm:

0 dkg at pip:~$ echo | openssl s_client -starttls smtp \
> -connect mail.archive.org:587 2>/dev/null | \
> certtool -i | egrep '(Signature Algorithm|Version|Subject):'
	Version: 3
	Subject: C=US,O=mail.archive.org,OU=GT92459642,OU=See
www.rapidssl.com/resources/cps (c)08,OU=Domain Control Validated -
	Signature Algorithm: RSA-MD5
0 dkg at pip:~$

MD5 is no longer considered safe [0], so GnuTLS does not accept
MD5-digested certificates in order to protect users from malicious

RapidSSL should be willing to re-issue the server's certificate using a
more secure digest algorithm [1] for free.  I've cc'ed
postmaster at archiveorg here, but you may wish to also contact your mail
server administrator personally to ensure that they get an updated,
non-forgeable certificate as soon as possible so that their users are
not expected to rely on a known-broken digest algorithm.

Please see http://www.debian-administration.org/users/dkg/weblog/42 for
more information about this, and follow up here if you have any questions.



[0] http://www.win.tue.nl/hashclash/rogue-ca/


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 890 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20090220/a2be3c41/attachment.pgp 

More information about the Pkg-gnutls-maint mailing list