Marc Haber <[EMAIL PROTECTED]> writes:

> On Thu, May 22, 2008 at 05:20:21PM +0200, Simon Josefsson wrote:
>> I think increasing the limit is necessary since there appeared to be
>> some configurations which ran into the earlier limit.  Possibly 48kb is
>> excessive, and it could be made smaller.  I think the largest handshake
>> we saw in reality was 25kb.
>
> Yes, but it is bound to grow with Debian's ca-certificates package.

Only if the ca-certificates package have a default so that users trust
all CAs in the package.

>> Configuring the list of ca-certificates is possible, as far as I know.
>> GnuTLS doesn't do any of this, it is in the application.  I suspect exim
>> is using the ca-certificates debian infrastructure.
>
> The exim package does not do anything like that explicitly, and exim's
> GnuTLS code is quite rudimentary and certainly not Debian-specific.

Doesn't the debian exim packaging or TLS instructions lead to exim4
using the CAs in ca-certificates as the trusted CA?  I wouldn't think
that upstream exim4 pointed administrators towards debian specific files
(although I don't know how this stuff is intended to work).

I think there is an element of debian-specific configuration or
documentation that makes this situation happen.

>>   It seems some people click to trust every CA in the entire world (or
>>   close to that)
>
> That seems to be the default when installing Debian's ca-certificates
> package.

That would be the problem then: either that, or exim4 shouldn't by
default request a client certificate (which triggers sending the list of
trusted CAs).

>> Possibly we could even revert back to the earlier 16kb limit, if the
>> configurations with a lot of CAs are considered excessive and buggy by
>> themselves.
>
> So that would be a bug in the ca-certificates package, which I
> unfortunately do not know of.

It would be useful to bring this up with the maintainers of
ca-certificates to understand why this is the case.

/Simon



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to