On 2012-05-26 at 20:23 -0400, Phil Pennock wrote: > For clarity, you're saying: > * everything works using OpenSSL as Exim's TLS provider > * problems with GnuTLS as Exim's TLS provider > * no problem with openssl s_client against Exim/GnuTLS > * problem with gnutls-cli and thunderbird against Exim/GnuTLS > > Are you using an MD5-based self-signed certificate? Remember that > GnuTLS no longer supports MD5 in certificates, since they've been proven > to be broken in real world practical attacks. > > If not, does Exim 4.77 built against the same GnuTLS library work? > > If it does not work in Exim 4.77 then there has been no regression and > there's a problem with how GnuTLS was built on your system. > > If it is MD5 as a cause, I welcome a code suggestion for detecting this > and providing better diagnostics.
Oh, and because you're using GnuTLS 2.x, an EOF is reported as a packet of unexpected length. With GnuTLS 3.x, there's a separate error-code for EOF. So I strongly suspect that you're using an MD5-based cert, the GnuTLS client is rejecting it for being MD5-based, the client drops the connection, the server reports a packet of unexpected length, that being the string from gnutls_strerror() for the error code returned in GnuTLS 2. If it's not an MD5 cert, but it's still a client policy rejection, then the same applies. -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
