Author: Heiko Schlittermann Date: To: exim-dev Subject: Re: [exim-dev] Big CA certificate bundle causes problems with
Janne Snabb <snabb@???> (Di 05 Jun 2012 08:25:48 CEST): > On 2012-05-30 05:44, Janne Snabb wrote:
> > This is not affecting deliveries in real life because nobody is
> > using the buggy GnuTLS versions on the client side yet.
> Just a correction to my previous statement:
> I did start seeing some TLS handshake failures with the Debian/Ubuntu
> certificate bundle and "tls_try_verify_hosts = *". So it looks like
> there are few mail senders who use some of the broken GnuTLS versions.
> Thus it is not a good idea to run such a setup in a production
> environment. Reducing the amount of CA's or disabling
> "tls_try_verify_hosts" solves the problem until we get the "don't
> advertise CAs" knob in the next release :).
Just for the records, I think the problem is already known for some