> I've figured out what the problem is.  If I don't disable kEDH in
> sendmail's config, it fails, but if I do disable it, it works.
> My IMAP server also has kEDH disabled, and so it also works.
> 
> Apparently OpenSSL doesn't try to use kEDH, and so it doesn't fail.
> GnuTLS should implement the same behavior; if a certificate doesn't
> support digitalSignature, then GnuTLS shouldn't try to use it in that
> way.  RSA key exchange is fine for what I need.

This cannot be done due to how SSL/TLS is designed. The certificate is
provided after the ciphersuite is negotiated, thus the client cannot do
anything in this issue. The server seems to be misconfigured to accept
the DHE* ciphersuites even if his certificate does not support it.

Gnutls servers shouldn't do this so if the server is based on gnutls
please report it as a bug.

regards,
Nikos




-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to