Hi! I'm commenting one thing only in this post, prompted by <http://lists.gnu.org/archive/html/gnutls-devel/2008-01/msg00004.html>.
> and most importantly for me, openssl actually supports full > certificate chain lookups, so you can be guaranteed that this cert was > signed was signed by that ca. gnutls does not, to the best of my > knowledge. That is not true. GnuTLS can verify that the client certificate chains back to the CA, and has been doing so for a long time (before I became GnuTLS maintainer). Naturally, the application needs to do the right thing to trigger that feature, but there are examples and documentation on how to do it. I looked in the source for exim4 in src/tls-gnu.c which contains: /* Called after a successful handshake, when certificate verification is required or optional, for both server and client. Arguments: session GNUTLS session error where to put text giving a reason for failure Returns: TRUE/FALSE */ static BOOL verify_certificate(gnutls_session session, uschar **error) The function calls the relevant gnutls function, gnutls_certificate_verify_peers. It looks reasonable correct, although I did not audit the code. My conclusion is that the feature is implemented by exim4, and if there is any problem in this area, it would be a bug. Can you provide more information on what made you reach the conclusion above? /Simon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]