On 2012-05-27 at 04:35 +0200, Wolfgang Breyha wrote: > Reading ... comprehending ... two different things. Sorry. I read about the > MD5 certs several times and didn't check the state of my quite old one. > > It was a MD5 cert. I made a new one and gnutls-cli instantly worked.
*phew* So gnutls-cli would have been failing, whether Exim was using OpenSSL or GnuTLS. I've written a new FAQ to be bundled with the release in the doc/ dir. I'll post about it to -users shortly: http://git.exim.org/exim.git/blob/HEAD:/doc/doc-txt/GnuTLS-FAQ.txt There's probably text in that which can usefully make it into the Specification too. > To get thunderbird working I had to remove the gnutls-params file in > exims spool directory, too. This is strange. Exim should have been using a file named "gnutls-params-2236", for the number of bits in the file. Oh crap. I know what it is. GnuTLS generates *approximately* the number of bits requested, and can go over. OpenSSL is more exact, but takes significantly longer. Crap crap crap. I'll lower the default value of tls_dh_max_bits, so that even when generation goes over, the count will *probably* only be 2236 and NSS will work. You probably had a 2237 bit key in the file. -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
