On Thu, May 22, 2008 at 05:41:50PM +0200, Simon Josefsson wrote: > Marc Haber <[EMAIL PROTECTED]> writes: > > On Thu, May 22, 2008 at 05:20:21PM +0200, Simon Josefsson wrote: > >> I think increasing the limit is necessary since there appeared to be > >> some configurations which ran into the earlier limit. Possibly 48kb is > >> excessive, and it could be made smaller. I think the largest handshake > >> we saw in reality was 25kb. > > > > Yes, but it is bound to grow with Debian's ca-certificates package. > > Only if the ca-certificates package have a default so that users trust > all CAs in the package.
It looks like it has. > >> Configuring the list of ca-certificates is possible, as far as I know. > >> GnuTLS doesn't do any of this, it is in the application. I suspect exim > >> is using the ca-certificates debian infrastructure. > > > > The exim package does not do anything like that explicitly, and exim's > > GnuTLS code is quite rudimentary and certainly not Debian-specific. > > Doesn't the debian exim packaging or TLS instructions lead to exim4 > using the CAs in ca-certificates as the trusted CA? Thanks for asking again, I was tempted to answer again "not that I know of". Actually, we set tls_verify_certificates to /etc/ssl/certs/ca-certificates.crt which introduces the issue in the first place. I think that I'm going to kill the misfeature that exim asks for client certificates by default, people do not use them anyway. > I wouldn't think that upstream exim4 pointed administrators towards > debian specific files (although I don't know how this stuff is > intended to work). > > I think there is an element of debian-specific configuration or > documentation that makes this situation happen. You were right. I apologize. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

