GnuTLS 2.12.0 and later use p11-kit and chose to enable auto-loading of modules by default when GnuTLS is initialised. It's unfortunate that this combines badly with PKCS11 modules which expect to interact with the user, but may well be correct for PKCS11 modules which interact with a TPM store or some other device, to let the MTA have a secure identity on a tamper-proof chip.
The current solution in Debian is my first pass "does this fix it for you?" hack, which disables the module auto-loading. The version committed to git for the next Exim release adds a new option "gnutls_enable_pkcs11", defaulting to False, because with these GUI keyring integration modules in the wild, the reporter is quite right: the MTA should not be loading those modules. IMO this is a failure of the module configuration mechanism used, the user-interfaces for configuring those modules and a sign of a deeper problem. But there's a way for us to avoid triggering those problems, so we're now doing that by default. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

