Thanks for the report, Andy. On 02/20/2009 12:41 PM, andy bezella wrote: > after upgrading to libgnutls26 2.6.4-2 msmtp (1.4.16-1) is unable to connect > to port 587 of our mailserver using tls.
It looks to me like your mail server is using an X.509 certificate
issued by RapidSSL using the MD5 digest algorithm:
0 d...@pip:~$ echo | openssl s_client -starttls smtp \
> -connect mail.archive.org:587 2>/dev/null | \
> certtool -i | egrep '(Signature Algorithm|Version|Subject):'
Version: 3
Subject: C=US,O=mail.archive.org,OU=GT92459642,OU=See
www.rapidssl.com/resources/cps (c)08,OU=Domain Control Validated -
RapidSSL(R),CN=mail.archive.org
Signature Algorithm: RSA-MD5
0 d...@pip:~$
MD5 is no longer considered safe [0], so GnuTLS does not accept
MD5-digested certificates in order to protect users from malicious
certificates.
RapidSSL should be willing to re-issue the server's certificate using a
more secure digest algorithm [1] for free. I've cc'ed
postmas...@archiveorg here, but you may wish to also contact your mail
server administrator personally to ensure that they get an updated,
non-forgeable certificate as soon as possible so that their users are
not expected to rely on a known-broken digest algorithm.
Please see http://www.debian-administration.org/users/dkg/weblog/42 for
more information about this, and follow up here if you have any questions.
Regards,
--dkg
[0] http://www.win.tue.nl/hashclash/rogue-ca/
[1]
https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=AD125
signature.asc
Description: OpenPGP digital signature
