Debian Bug report logs - #446036
exim4: please compile against openssl instead of gnutls

version graph

Package: exim4; Maintainer for exim4 is Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>; Source for exim4 is src:exim4.

Reported by: Stephen Gran <sgran@debian.org>

Date: Wed, 10 Oct 2007 00:18:04 UTC

Severity: normal

Found in version exim4/4.63-17

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#446036; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Stephen Gran <sgran@debian.org>:
New Bug report received and forwarded. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: exim4: please compile against openssl instead of gnutls
Date: Wed, 10 Oct 2007 01:12:51 +0100
[Message part 1 (text/plain, inline)]
Package: exim4
Version: 4.63-17
Severity: normal

Hello,

The subject pretty much says it all.  I see that there are a half dozen
TLS related bugs open in the BTS about odd failures that will most likely
disappear if you use the more robust implementation.  Additionally,
openssl uses less system entropy for the same cryptographic strength
(there go your bugs about the gnutls random seed) and most importantly
for me, openssl actually supports full certificate chain lookups, so
you can be guaranteed that this cert was signed was signed by that ca.
gnutls does not, to the best of my knowledge.

I fully understand the desire to assist gnutls, but until it provides a
comparable feature set at a comparable performance level, I think that
the default MTA in Debian could do slightly better.  It's not as if
there's a licensing issue - there is an explicit excemption for openssl.

Ordinarily I would make a 'please do such and such in the packaging'
bug severity: wishlist, but given how many other open bugs appear to be
directly related to this choice, and how far gnutls is from providing some
fairly crucial features, I think that wishlist is too low a priority.
That being said, I am not interested in BTS ping pong and won't argue
if you decide to downgrade the bug.

Thanks,

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-686
Locale: LANG=en_US.utf-8, LC_CTYPE=en_US.utf-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.utf-8)

-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#446036; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 446036@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: Stephen Gran <sgran@debian.org>, 446036@bugs.debian.org
Subject: Re: Bug#446036: exim4: please compile against openssl instead of gnutls
Date: Wed, 10 Oct 2007 17:21:56 +0200
On Wed, Oct 10, 2007 at 01:12:51AM +0100, Stephen Gran wrote:
> It's not as if
> there's a licensing issue - there is an explicit excemption for openssl.

So you want to have the mysql binding removed from exim4-daemon-heavy?
Or exim4-daemon-heavy against gnutls and -light against openssl?

> That being said, I am not interested in BTS ping pong and won't argue
> if you decide to downgrade the bug.

I will probably refer this to the tech ctte.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190




Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#446036; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #15 received at 446036@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: Marc Haber <mh+debian-packages@zugschlus.de>
Cc: 446036@bugs.debian.org
Subject: Re: Bug#446036: exim4: please compile against openssl instead of gnutls
Date: Wed, 10 Oct 2007 16:58:46 +0100
[Message part 1 (text/plain, inline)]
This one time, at band camp, Marc Haber said:
> On Wed, Oct 10, 2007 at 01:12:51AM +0100, Stephen Gran wrote:
> > It's not as if
> > there's a licensing issue - there is an explicit excemption for openssl.
> 
> So you want to have the mysql binding removed from exim4-daemon-heavy?
> Or exim4-daemon-heavy against gnutls and -light against openssl?

Why would that be an issue?  mysql isn't linking to openssl, exim is.

> > That being said, I am not interested in BTS ping pong and won't argue
> > if you decide to downgrade the bug.
> 
> I will probably refer this to the tech ctte.

*shrug*.  Sure, whatever you like.  ftp-master is the more obvious
people to ask, but whichever seems reasonable to you.

Thanks,
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#446036; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #20 received at 446036@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: Marc Haber <mh+debian-packages@zugschlus.de>
Cc: 446036@bugs.debian.org
Subject: Re: Bug#446036: exim4: please compile against openssl instead of gnutls
Date: Wed, 10 Oct 2007 19:31:33 +0100
[Message part 1 (text/plain, inline)]
This one time, at band camp, Marc Haber said:
> On Wed, Oct 10, 2007 at 01:12:51AM +0100, Stephen Gran wrote:
> > It's not as if
> > there's a licensing issue - there is an explicit excemption for openssl.
> 
> So you want to have the mysql binding removed from exim4-daemon-heavy?
> Or exim4-daemon-heavy against gnutls and -light against openssl?

OK, just to be clear here, what I understand you to be arguing is that
the shared library loading will create an executable space that contains
both mysql (GPL + no excemption) and openssl, and that this will create
a GPL violation.  Am I correct?

First, there is one problem with this argument - you already link to
libpq5, which depends on openssl, and so you already have the thing
you're trying to avoid.

Second, the exim code for mysql lookups does not simultaneously use
openssl functions - they are logically seperate pieces of code.  This
means that this is not an attempt to work around the GPL by making an
application whose primary purpose is to act as a shim layer between
openssl and mysql.

As I read it, there would be no GPL violation in the linking I am
proposing.  Even more to the point, the linkage you are saying is a GPL
violation is _already_ happening.
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#446036; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #25 received at 446036@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: Stephen Gran <sgran@debian.org>
Cc: 446036@bugs.debian.org
Subject: Re: Bug#446036: exim4: please compile against openssl instead of gnutls
Date: Sat, 20 Oct 2007 12:20:13 +0200
On Wed, Oct 10, 2007 at 04:58:46PM +0100, Stephen Gran wrote:
> This one time, at band camp, Marc Haber said:
> > On Wed, Oct 10, 2007 at 01:12:51AM +0100, Stephen Gran wrote:
> > > It's not as if
> > > there's a licensing issue - there is an explicit excemption for openssl.
> > 
> > So you want to have the mysql binding removed from exim4-daemon-heavy?
> > Or exim4-daemon-heavy against gnutls and -light against openssl?
> 
> Why would that be an issue?  mysql isn't linking to openssl, exim is.

I'd say that the "links" attribute is transitive, so that we'd have
linkage of openssl via exim to mysql.

> > > That being said, I am not interested in BTS ping pong and won't argue
> > > if you decide to downgrade the bug.
> > 
> > I will probably refer this to the tech ctte.
> 
> *shrug*.  Sure, whatever you like.  ftp-master is the more obvious
> people to ask, but whichever seems reasonable to you.

I think that a question to the tech ctte has more chance of receiving
an answer.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190




Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#446036; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #30 received at 446036@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: Marc Haber <mh+debian-packages@zugschlus.de>
Cc: 446036@bugs.debian.org
Subject: Re: Bug#446036: exim4: please compile against openssl instead of gnutls
Date: Sat, 20 Oct 2007 11:25:40 +0100
[Message part 1 (text/plain, inline)]
This one time, at band camp, Marc Haber said:
> On Wed, Oct 10, 2007 at 04:58:46PM +0100, Stephen Gran wrote:
> > This one time, at band camp, Marc Haber said:
> > > On Wed, Oct 10, 2007 at 01:12:51AM +0100, Stephen Gran wrote:
> > > > It's not as if there's a licensing issue - there is an explicit
> > > > excemption for openssl.
> > > 
> > > So you want to have the mysql binding removed from
> > > exim4-daemon-heavy?  Or exim4-daemon-heavy against gnutls and
> > > -light against openssl?
> > 
> > Why would that be an issue?  mysql isn't linking to openssl, exim
> > is.
> 
> I'd say that the "links" attribute is transitive, so that we'd have
> linkage of openssl via exim to mysql.

Just like you do now with libpq?  I've already explained why I don't
think this is an issue in a seperate email.

> > > > That being said, I am not interested in BTS ping pong and won't
> > > > argue if you decide to downgrade the bug.
> > > 
> > > I will probably refer this to the tech ctte.
> > 
> > *shrug*.  Sure, whatever you like.  ftp-master is the more obvious
> > people to ask, but whichever seems reasonable to you.
> 
> I think that a question to the tech ctte has more chance of receiving
> an answer.

Since I said ftp-master was probably more helpful, I've put my money
where my mouth is.  I've already spoken with Ganneff, and he said my
proposal would be acceptable to him, in his role in NEW processing, at
least.

My main point about the tech-ctte was that it is mainly for unresolved
disputes - it's a bit early to go running to them before we've even had
a good argument :)

TTYL,
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#446036; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #35 received at 446036@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: Stephen Gran <sgran@debian.org>
Cc: 446036@bugs.debian.org
Subject: Re: Bug#446036: exim4: please compile against openssl instead of gnutls
Date: Sat, 20 Oct 2007 12:30:51 +0200
On Wed, Oct 10, 2007 at 07:31:33PM +0100, Stephen Gran wrote:
> As I read it, there would be no GPL violation in the linking I am
> proposing.  Even more to the point, the linkage you are saying is a GPL
> violation is _already_ happening.

Which is bad. I'll discuss this.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190




Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#446036; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #40 received at 446036@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: Marc Haber <mh+debian-packages@zugschlus.de>
Cc: 446036@bugs.debian.org
Subject: Re: Bug#446036: exim4: please compile against openssl instead of gnutls
Date: Sat, 20 Oct 2007 15:43:03 +0100
[Message part 1 (text/plain, inline)]
This one time, at band camp, Marc Haber said:
> On Wed, Oct 10, 2007 at 07:31:33PM +0100, Stephen Gran wrote:
> > As I read it, there would be no GPL violation in the linking I am
> > proposing.  Even more to the point, the linkage you are saying is a GPL
> > violation is _already_ happening.
> 
> Which is bad. I'll discuss this.

Have you seen
http://www.mysql.com/company/legal/licensing/foss-exception.html

It appears that even if we disagree about what constitutes a GPL
violation, all relevant pieces of software have an openssl exception.

Thanks,
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#446036; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #45 received at 446036@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: Marc Haber <mh+debian-packages@zugschlus.de>
Cc: 446036@bugs.debian.org
Subject: Re: Bug#446036: exim4: please compile against openssl instead of gnutls
Date: Sat, 27 Oct 2007 14:51:32 +0100
[Message part 1 (text/plain, inline)]
Hi,

Have you had a chance to think about this, in light of the fact that
there is no license incompatibility?  I'm not trying to rush you, I just
didn't want this bug forgotten.

Thanks,
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#446036; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #50 received at 446036@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: Stephen Gran <sgran@debian.org>
Cc: 446036@bugs.debian.org
Subject: Re: Bug#446036: exim4: please compile against openssl instead of gnutls
Date: Sun, 4 Nov 2007 18:47:08 +0100
On Sat, Oct 27, 2007 at 02:51:32PM +0100, Stephen Gran wrote:
> Have you had a chance to think about this, in light of the fact that
> there is no license incompatibility?  I'm not trying to rush you, I just
> didn't want this bug forgotten.


I have asked for external input, see 
http://blog.zugschlus.de/archives/585-exim4-vs.-OpenSSL-vs.-GnuTLS.html

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190




Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#446036; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Marc Haber <mh+debian-packages@zugschlus.de>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #55 received at 446036@bugs.debian.org (full text, mbox):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: 446036@bugs.debian.org, 446036-submitter@bugs.debian.org
Cc: Stephen Gran <sgran@debian.org>
Subject: Re: Bug#446036: exim4: please compile against openssl instead of gnutls
Date: Thu, 3 Jan 2008 01:54:06 +0100
On Sun, Nov 04, 2007 at 06:47:08PM +0100, Marc Haber wrote:
> I have asked for external input, see 
> http://blog.zugschlus.de/archives/585-exim4-vs.-OpenSSL-vs.-GnuTLS.html

Since we still have some time until lenny release, I have decided to
give GnuTLS two more months to clear up their issues. The most
pressing issue is the entropy issue, IMO, which has lost some of its
threat since exim does not block on entropy depletion. The
interoperability issues with mobile phones might be the fault of a
commercial library vendor.

You might want to subscribe gnutls-devel@gnu.org to join the discussion.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835




Message sent on to Stephen Gran <sgran@debian.org>:
Bug#446036. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#446036; Package exim4. Full text and rfc822 format available.

Acknowledgement sent to Simon Josefsson <simon@josefsson.org>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #63 received at 446036@bugs.debian.org (full text, mbox):

From: Simon Josefsson <simon@josefsson.org>
To: Stephen Gran <sgran@debian.org>
Cc: 446036@bugs.debian.org
Subject: Re: exim4: please compile against openssl instead of gnutls
Date: Thu, 03 Jan 2008 22:41:35 +0100
Hi!  I'm commenting one thing only in this post, prompted by
<http://lists.gnu.org/archive/html/gnutls-devel/2008-01/msg00004.html>.

> and most importantly for me, openssl actually supports full
> certificate chain lookups, so you can be guaranteed that this cert was
> signed was signed by that ca.  gnutls does not, to the best of my
> knowledge.

That is not true.  GnuTLS can verify that the client certificate chains
back to the CA, and has been doing so for a long time (before I became
GnuTLS maintainer).  Naturally, the application needs to do the right
thing to trigger that feature, but there are examples and documentation
on how to do it.  I looked in the source for exim4 in src/tls-gnu.c
which contains:

/* Called after a successful handshake, when certificate verification is
required or optional, for both server and client.

Arguments:
  session    GNUTLS session
  error      where to put text giving a reason for failure

Returns:     TRUE/FALSE
*/

static BOOL
verify_certificate(gnutls_session session, uschar **error)

The function calls the relevant gnutls function,
gnutls_certificate_verify_peers.  It looks reasonable correct, although
I did not audit the code.

My conclusion is that the feature is implemented by exim4, and if there
is any problem in this area, it would be a bug.  Can you provide more
information on what made you reach the conclusion above?

/Simon




Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#446036; Package exim4. (Sat, 28 Mar 2009 20:51:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. (Sat, 28 Mar 2009 20:51:02 GMT) Full text and rfc822 format available.

Message #68 received at 446036@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: Simon Josefsson <simon@josefsson.org>
Cc: 446036@bugs.debian.org
Subject: Re: exim4: please compile against openssl instead of gnutls
Date: Sat, 28 Mar 2009 20:48:24 +0000
[Message part 1 (text/plain, inline)]
This one time, at band camp, Simon Josefsson said:
> Hi!  I'm commenting one thing only in this post, prompted by
> <http://lists.gnu.org/archive/html/gnutls-devel/2008-01/msg00004.html>.
> 
> > and most importantly for me, openssl actually supports full
> > certificate chain lookups, so you can be guaranteed that this cert was
> > signed was signed by that ca.  gnutls does not, to the best of my
> > knowledge.
> 
> That is not true.  GnuTLS can verify that the client certificate chains
> back to the CA, and has been doing so for a long time (before I became
> GnuTLS maintainer).  Naturally, the application needs to do the right
> thing to trigger that feature, but there are examples and documentation
> on how to do it.  I looked in the source for exim4 in src/tls-gnu.c
> which contains:

I spoke imprecisely, and for that I'm sorry.  I meant that when exim is 
compiled against openssl, it can be pointed to a directory of hashed
certs and it will perform validation against certs found there.  gnutls
does not seem to have this ability, to the best of my knowledge, and you
have to instead manually include the ca.crts you are interested in a
file.  This may be a limitation of the parts of the gnutls API that exim
exposes, but I was under the impression this is a limitation of gnutls.

I remember some issues getting CRLs to work with exim and gnutls, but
that may have either been an error in the exim implementation or an
error on my part - gnutls would not be very useful if it couldn't handle
revocations.

Cheers,
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>:
Bug#446036; Package exim4. (Tue, 31 Mar 2009 09:36:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon Josefsson <simon@josefsson.org>:
Extra info received and forwarded to list. Copy sent to Exim4 Maintainers <pkg-exim4-maintainers@lists.alioth.debian.org>. (Tue, 31 Mar 2009 09:36:21 GMT) Full text and rfc822 format available.

Message #73 received at 446036@bugs.debian.org (full text, mbox):

From: Simon Josefsson <simon@josefsson.org>
To: Stephen Gran <sgran@debian.org>
Cc: 446036@bugs.debian.org
Subject: Re: exim4: please compile against openssl instead of gnutls
Date: Tue, 31 Mar 2009 11:31:39 +0200
Stephen Gran <sgran@debian.org> writes:

> This one time, at band camp, Simon Josefsson said:
>> Hi!  I'm commenting one thing only in this post, prompted by
>> <http://lists.gnu.org/archive/html/gnutls-devel/2008-01/msg00004.html>.
>> 
>> > and most importantly for me, openssl actually supports full
>> > certificate chain lookups, so you can be guaranteed that this cert was
>> > signed was signed by that ca.  gnutls does not, to the best of my
>> > knowledge.
>> 
>> That is not true.  GnuTLS can verify that the client certificate chains
>> back to the CA, and has been doing so for a long time (before I became
>> GnuTLS maintainer).  Naturally, the application needs to do the right
>> thing to trigger that feature, but there are examples and documentation
>> on how to do it.  I looked in the source for exim4 in src/tls-gnu.c
>> which contains:
>
> I spoke imprecisely, and for that I'm sorry.  I meant that when exim is 
> compiled against openssl, it can be pointed to a directory of hashed
> certs and it will perform validation against certs found there.  gnutls
> does not seem to have this ability, to the best of my knowledge, and you
> have to instead manually include the ca.crts you are interested in a
> file.

Right.

> This may be a limitation of the parts of the gnutls API that exim
> exposes, but I was under the impression this is a limitation of
> gnutls.

It is intentional, not a limitation.  The method to use a directory with
hashed certs is specific to OpenSSL.  The GnuTLS APIs allows you to
implement that model, if you really want to: use readdir to list the
files in the directory, and decide whether to parse and trust each file
as a CA cert.  Be sure to compare this with OpenSSL's documentation on
how hashed directories are intended to work, maybe you shouldn't trust
all file in that directory.

> I remember some issues getting CRLs to work with exim and gnutls, but
> that may have either been an error in the exim implementation or an
> error on my part - gnutls would not be very useful if it couldn't handle
> revocations.

Please report it to us if you can reproduce it.  I don't think many
people use CRLs.

/Simon




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 00:43:48 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.