> I've figured out what the problem is. If I don't disable kEDH in > sendmail's config, it fails, but if I do disable it, it works. > My IMAP server also has kEDH disabled, and so it also works. > > Apparently OpenSSL doesn't try to use kEDH, and so it doesn't fail. > GnuTLS should implement the same behavior; if a certificate doesn't > support digitalSignature, then GnuTLS shouldn't try to use it in that > way. RSA key exchange is fine for what I need.
This cannot be done due to how SSL/TLS is designed. The certificate is provided after the ciphersuite is negotiated, thus the client cannot do anything in this issue. The server seems to be misconfigured to accept the DHE* ciphersuites even if his certificate does not support it. Gnutls servers shouldn't do this so if the server is based on gnutls please report it as a bug. regards, Nikos -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]