On 2012-05-17 at 09:04 -0400, Phil Pennock wrote: > I'm picking through the test suite and finding more corner cases now.
When I wrote that, I'd fixed one bug. I've spent a lot of time tracking down why things are still going wrong, before realising that the test certificate uses md5WithRSAEncryption. I can generate a new cert, but I also want to make sure *that* still works if the priority string is set to NORMAL:%VERIFY_ALLOW_SIGN_RSA_MD5 and so far I'm failing. So the basic problem is one of trying to fight new security requirements of the underlying library, to let admins continue to shoot themselves in the feet if they so choose. README.UPDATING will have this extra paragraph in the TLS notes: Note that by default, GnuTLS will not accept RSA-MD5 signatures in chains. A tls_require_ciphers value of NORMAL:%VERIFY_ALLOW_SIGN_RSA_MD5 should re-enable support. So far, I'm failing to make that true. EXPORT:%VERIFY_ALLOW_SIGN_RSA_MD5 doesn't help. Still seeing: 10842 GnuTLS<1>: Could not find an appropriate certificate: Insufficient credentials for that request. For certainty, I've generated two new certs, and indeed that fixes most of the problems. The other option is to say "You're using TLS for a reason? Stop using MD5 then, as the GnuTLS folks recommend", in which case README.UPDATING would say: Note that GnuTLS no longer accepts RSA-MD5 signatures in certificate chains, including in self-signatures. In theory, a tls_require_ciphers value of NORMAL:%VERIFY_ALLOW_SIGN_RSA_MD5 should re-enable support, but this does not appear to work. We recommend following the advice of the experts and not using MD5 signatures in certificates. One stance is that it's a case where maintaining backwards compatibility is bad, because that is being deliberately broken to improve security. Thoughts? Am really coming around to the idea of making the next release be 4.80 instead of 4.78, to highlight that there are issues to watch for here. -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
