> > it seems gnutls can open a new encrypted connection on your server. > > But it can't > > do it with the TLS protocol, try the following commands: > > gnutls-cli -s -p 1025 your.mailserver.com > > at prompt enter the following command (one for each prompt): > > EHLO example.com > > STARTTLS > > Ctrl-D > > > > The handshake negocation fails. > > I got a SIGSEGV, using the gnutls-cli from gnutls-bin Version: 1.4.0-2: > [...] > Isn't this a potential security hole in gnutls-cli?
Maybe. It sure is a bug. It may be time to try to get help from the gnutls people. With the following line: > > gnutls-cli -s -p 1025 your.mailserver.com GnuTLS should be able to handshake with SSLv3 and TLSv1 hosts. Similar, msmtp/GnuTLS should be able to handshake with a SSLv3 or TLSv1 host because it disables neither of these protocols. > > it seems msmtp can't connect to server which use SSL 3.0 protocol. > > A solution might be to link against libgnutls-openssl to add support for > > openssl 3.0 compatibility layer. Libgnuts-openssl provides a subset of the OpenSSL API on top of GnuTLS. This is intended to compile programs that were written for OpenSSL with GnuTLS. However, this does not work very well right now, and probably will never, see this post from one of the GnuTLS maintainers: http://article.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/1553 You could try to recompile msmtp with the patch below instead. This will enable full debugging output for the GnuTLS library. Martin diff -u -r1.5 tls.c --- src/tls.c 17 Mar 2006 14:10:52 -0000 1.5 +++ src/tls.c 3 Jul 2006 12:59:33 -0000 @@ -925,12 +925,19 @@ * see tls.h */ +void tmp_log_func(int level, const char* s) +{ + fprintf(stderr, "GNUTLS DEBUG %d: %s", level, s); +} + int tls_init(tls_t *tls, const char *key_file, const char *cert_file, const char *trust_file, char **errstr) { #ifdef HAVE_GNUTLS int error_code; + gnutls_global_set_log_level(11); + gnutls_global_set_log_function(tmp_log_func); if ((error_code = gnutls_init(&tls->session, GNUTLS_CLIENT)) != 0) { *errstr = xasprintf(_("cannot initialize TLS Session: %s"), -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
