Bug#795591: gnutls ocsp bug causes fallback to plain unencrypted connections

Björn JACKE debianbugs at j3e.de
Sat Aug 15 13:38:52 UTC 2015


Package: gnutls28
Version: 3.3.8-6+deb8u2


gnutls sends ocsp certificate status even if the client didn't request that. This leads to TLS connections to OCSP enabled exim versions to

either 

1) fail completely (like for gmail trying to deliver mail to exim)

or 

2) the other side fall back to unencrypted smtp connections

Given that, I consider this a serious bug that should be fixed in Jessie.


the patch 45_As-server-don-t-try-to-send-extensions-we-didn-t-rec.patch that
was in the 3.3.16 sid gnutls package should be applied to the Jessie version
also.



More information about the Pkg-gnutls-maint mailing list