Bug#482420: marked as done (exim4-config: client certificate request causes multiple issues)

Fri, 01 Jan 2010 07:25:38 -0800 

Your message dated Fri, 1 Jan 2010 16:17:49 +0100
with message-id <[email protected]>
and subject line Re: Bug#482420: exim4-config: client certificate request 
causes multiple issues
has caused the Debian Bug report #482420,
regarding exim4-config: client certificate request causes multiple issues
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
482420: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=482420
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: exim4-config
Version: 4.69-5
Severity: normal

Hi,

Exim sends a client certificate request whenever a TLS session is
built. This causes trouble with remote sides that do not support
client certificates, or choke on the (big) list of trusted CAs that we
send by default.

The client certificate request should either be disabled at all by
default, or should not send the full list of trusted CAs by default.

Greetings
Marc

--- End Message ---
--- Begin Message --- 
Version: 4.70~cvs+20091017-1

On 2008-05-22 Marc Haber <[email protected]> wrote:
> Package: exim4-config
> Version: 4.69-5
> Severity: normal

> Hi,

> Exim sends a client certificate request whenever a TLS session is
> built. This causes trouble with remote sides that do not support
> client certificates, or choke on the (big) list of trusted CAs that we
> send by default.

> The client certificate request should either be disabled at all by
> default, or should not send the full list of trusted CAs by default.

We have done the latter:
 * Do not set 'tls_try_verify_hosts = *' by default anymore. Some clients
    (e.g Outlook) will terminate the SSL connection when the server presents
    the long list of accepted TLS certificates after STARTTLS. If TLS
    certificate validation of clients is needed you'll need to set
    MAIN_TLS_TRY_VERIFY_HOSTS again and point MAIN_TLS_VERIFY_CERTIFICATES to
    a file containing only the accepted certificates.
    Closes: #515999, #316522, #482012

cu andreas

--- End Message ---

Reply via email to