Your message dated Thu, 14 Dec 2006 16:19:31 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Bug#403072: exim4-daemon-light fails to use equifax SSL
cert/key obtained from "1&1" hosting
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: exim4-daemon-light
Version: 4.50-8sarge2
When trying to use the equifax key/cert, STARTTLS triggers the following
log:
2006-12-14 13:03:29 TLS error on connection from pd9e39091.dip.t-dialin.net
(palmen.homeip.net) [217.227.144.145] (cert/key setup:
cert=/etc/exim4/exim.crt key=/etc/exim4/exim.key): Base64 decoding
error.
It works fine when compiling the package with OpenSSL instead of GnuTLS.
So please provide optional "contrib" daemon packages built with OpenSSL,
because this seems to be more compatible than GnuTLS.
--- End Message ---
--- Begin Message ---
On Thu, Dec 14, 2006 at 04:14:20PM +0100, Felix Palmen wrote:
> * Marc Haber <[EMAIL PROTECTED]> [20061214 15:22]:
> > What happens when you use a current version of GnuTLS? Using exim 4.50
> > suggests that you're working on sarge, which has a rather old version
> > of gnutls.
>
> I tried to do this right now, but found it would require to many
> backports and other updates to the system.
A pity.
> > Things have evolved since then and I am not willing to
> > debug the old stuff (since this bug is not going to be fixed in sarge
> > anyway).
>
> Of course it won't, but I'd consider this a general problem.
> As for me, it's ok if it works after the Etch release, but who knows
> if there are other incompatibilities with GnuTLS.
There are, of course. And there will always be.
> > Do I see correctly that Equifax is a CA that has issued you a
> > certificate? If so, how did you create the private key belonging to
> > the certificate request / certificate?
>
> Unfortunately, I had to take the key from the hoster, so I don't know
> how it was generated.
I see.
> All I know is that OpenSSL can read it without problems.
Unless I can reproduce this, all I can do is closing this bug.
> On my home system, i created key/request and signed all myself with
> OpenSSL and this key/cert pair works fine with GnuTLS/sarge, though.
Yes, this is a proven procedure.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
--- End Message ---
