>>>>> "KR" == Kurt Roeckx <k...@roeckx.be> writes:
KR> A self-signed cert's signature algorithm really isn't that KR> important. You either trust that cert or you don't. Which KR> is why openssl started to ignore this for root CAs. I'm not KR> sure what gnutls does with it. Thanks. That is most reasonable. Empirically, the version of gnutls in wheezy does care about the self sig on the root cert when presented with a tls client cert chain where it (the tls server) is not configured to trust the chain's root, the root's self sig is md5 and the ee cert's sig is sha256. In this case, the tls server does not require a trusted client cert, but notes the presence of such certs. So, the ONLY think gnutls objected to in the case was that the presented client cert chain had a root-self-sig using MD5. I will send a note to gnutls-devel about it. And one to postfix-devel suggesting that if the tls nego fails just after offering a client cert, that it retry w/o the client cert. I've worked around the problem locally by offering a different cert when sending mail. -JimC -- James Cloos <cl...@jhcloos.com> OpenPGP: 1024D/ED7DAEA6 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/m3bo3u1940....@carbon.jhcloos.org
