Bug#795591: gnutls ocsp bug causes fallback to plain unencrypted connections
Björn JACKE
debianbugs at j3e.de
Sat Aug 15 13:38:52 UTC 2015
Package: gnutls28
Version: 3.3.8-6+deb8u2
gnutls sends ocsp certificate status even if the client didn't request that. This leads to TLS connections to OCSP enabled exim versions to
either
1) fail completely (like for gmail trying to deliver mail to exim)
or
2) the other side fall back to unencrypted smtp connections
Given that, I consider this a serious bug that should be fixed in Jessie.
the patch 45_As-server-don-t-try-to-send-extensions-we-didn-t-rec.patch that
was in the 3.3.16 sid gnutls package should be applied to the Jessie version
also.
More information about the Pkg-gnutls-maint
mailing list