On 09/07/2010 02:39 PM, Jonathan Plews wrote:
> On servers that get these errors: 2.4.2-6+lenny2 and 2.8.6-1 (both from
> debian packages)
>
> I can try downloading latest source, but these are all live servers so I
> have to be careful, I've already taken some heat because of problems ;)
> I just wanted to see if anyone knew anything before putting time into
> things like that.
I suspect that the peer doesn't like the fact that a big list of CA
names is being sent to him. Could you try the attached patch with a test
server?
regards,
Nikos
diff -ur exim4-4.71.bak/src/tls-gnu.c exim4-4.71/src/tls-gnu.c
--- exim4-4.71.bak/src/tls-gnu.c 2010-09-07 18:30:19.000000000 +0200
+++ exim4-4.71/src/tls-gnu.c 2010-09-07 18:32:25.000000000 +0200
@@ -539,6 +539,10 @@
GNUTLS_X509_FMT_PEM);
if (rc < 0) return tls_error(US"setup_certs", host, gnutls_strerror(rc));
+ /* Do not advertize the trusted CAs to the peer.
+ * FIXME: make it configurable */
+ gnutls_certificate_free_ca_names(x509_cred);
+
if (crl != NULL && *crl != 0)
{
if (!expand_check(crl, US"tls_crl", &crl_expanded))
_______________________________________________
Help-gnutls mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/help-gnutls
