Marc Haber <[EMAIL PROTECTED]> writes: > On Thu, May 22, 2008 at 05:20:21PM +0200, Simon Josefsson wrote: >> I think increasing the limit is necessary since there appeared to be >> some configurations which ran into the earlier limit. Possibly 48kb is >> excessive, and it could be made smaller. I think the largest handshake >> we saw in reality was 25kb. > > Yes, but it is bound to grow with Debian's ca-certificates package.
Only if the ca-certificates package have a default so that users trust all CAs in the package. >> Configuring the list of ca-certificates is possible, as far as I know. >> GnuTLS doesn't do any of this, it is in the application. I suspect exim >> is using the ca-certificates debian infrastructure. > > The exim package does not do anything like that explicitly, and exim's > GnuTLS code is quite rudimentary and certainly not Debian-specific. Doesn't the debian exim packaging or TLS instructions lead to exim4 using the CAs in ca-certificates as the trusted CA? I wouldn't think that upstream exim4 pointed administrators towards debian specific files (although I don't know how this stuff is intended to work). I think there is an element of debian-specific configuration or documentation that makes this situation happen. >> It seems some people click to trust every CA in the entire world (or >> close to that) > > That seems to be the default when installing Debian's ca-certificates > package. That would be the problem then: either that, or exim4 shouldn't by default request a client certificate (which triggers sending the list of trusted CAs). >> Possibly we could even revert back to the earlier 16kb limit, if the >> configurations with a lot of CAs are considered excessive and buggy by >> themselves. > > So that would be a bug in the ca-certificates package, which I > unfortunately do not know of. It would be useful to bring this up with the maintainers of ca-certificates to understand why this is the case. /Simon -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

