Thorsten Glaser writes:
> Only if it provides secrecy.
> If one of the communication partners (say, the client, because it’s on a
> mobile) uses a guessable secret (say, due to lack of entropy), the
> session is lost.
I think that statement is somewhat too absolute. There are levels of
protect
Ian Jackson chiark.greenend.org.uk> writes:
> > Curiously, the optional ephemeral Diffie-Hellman part of the TLS
> > protocol runs in plaintext, which means that it can be attacked
> > directly, without bothering to attack the RSA part. As a result, that
> I diagree. Forward secrecy is general
> "KR" == Kurt Roeckx writes:
KR> A self-signed cert's signature algorithm really isn't that
KR> important. You either trust that cert or you don't. Which
KR> is why openssl started to ignore this for root CAs. I'm not
KR> sure what gnutls does with it.
Thanks. That is most reasonable.
Florian Weimer writes ("Re: tlsa for smtp to @bugs.debian.org"):
>* Bastian Blank:
>> On Fri, Sep 13, 2013 at 10:51:06PM +0200, Kurt Roeckx wrote:
>>> I think gnutls by default has a minimum size of 727 for the DH
>>> size while openssl doesn't have any c
* Bastian Blank:
> On Fri, Sep 13, 2013 at 10:51:06PM +0200, Kurt Roeckx wrote:
>> I think gnutls by default has a minimum size of 727 for the DH
>> size while openssl doesn't have any check for this. But if you're
>> using DH you really want to move to something like 2048 if
>> possible.
>
> Thi
On Fri, Sep 13, 2013 at 11:31:38PM +0200, Paul Wise wrote:
> On Fri, Sep 13, 2013 at 10:51 PM, Kurt Roeckx wrote:
>
> > A self-signed cert's signature algorithm really isn't that
> > important. You either trust that cert or you don't.
>
> Surely this work would apply to self-signed certs too?
>
On Fri, Sep 13, 2013 at 10:51:06PM +0200, Kurt Roeckx wrote:
> I think gnutls by default has a minimum size of 727 for the DH
> size while openssl doesn't have any check for this. But if you're
> using DH you really want to move to something like 2048 if
> possible.
This prime size is pretty irre
On Fri, Sep 13, 2013 at 10:51 PM, Kurt Roeckx wrote:
> A self-signed cert's signature algorithm really isn't that
> important. You either trust that cert or you don't.
Surely this work would apply to self-signed certs too?
http://www.win.tue.nl/hashclash/rogue-ca/
--
bye,
pabs
http://wiki.de
On Fri, Sep 13, 2013 at 10:51:06PM +0200, Kurt Roeckx wrote:
> > The problem in the referenced URI is that gnutls refuses to tolerate
> > a less secure DH key size. Here, gnutls refuses to tolerate a less
> > secure hash algorithm.
>
> I think gnutls by default has a minimum size of 727 for the D
On Fri, Sep 13, 2013 at 09:29:30AM -0400, James Cloos wrote:
>
> The root problem (pardon the pun) is that cacert's root certificate is
> signed with md5 and gnutls doesn't like that.
A self-signed cert's signature algorithm really isn't that
important. You either trust that cert or you don't.
> "Md" == Marco d'Itri writes:
Md> Maybe it is related to this?
Md> http://www.postfix.org/announcements/postfix-2.10.2.html
It is related, but different.
The root problem (pardon the pun) is that cacert's root certificate is
signed with md5 and gnutls doesn't like that.
When I use gnutls
On Sep 12, Tollef Fog Heen wrote:
> 2013-09-12 02:35:44 TLS error on connection from ore.jhcloos.com
> [198.147.23.85] (gnutls_handshake): The signature algorithm is not supported.
Maybe it is related to this?
http://www.postfix.org/announcements/postfix-2.10.2.html
TLS Interoperability workar
This one time, at band camp, James Cloos said:
> I'll try to trigger it on a cloud server with debugging turned up and
> get a more detailed debug log.
>
> Which release does buxtehude run? Wheezy?
Yes. Can we have a copy of your public cert to see if we can see
anything?
Cheers,
--
---
]] James Cloos
No need to Cc me.
[...]
> Which release does buxtehude run? Wheezy?
Yes.
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
> "TFH" == Tollef Fog Heen writes:
TFH> It's usually a good idea to mail the people who actually run the
TFH> debian.org systems if you want help debugging problems like this.
The first note, as I wrote, was an attempt to confirm whether the
problem was limited to @bugs's MX.
Given the firs
> "SG" == Stephen Gran writes:
SG> You've confirmed that postfix can talk to postfix, at least. I
SG> suppose that's a start. The debian.org MXs are different machines
SG> to lists, and they run exim.
Yeah. I noticed that after I sent the first note.
I had checked the @deb MXs, but forgo
This one time, at band camp, James Cloos said:
> This seems to be an openssl vs exim issue.
Yes, we've had more than one of them. Please add to the open bugs in
the BTS about any issues with the Debian build of exim and openssl.
> I'm sending this here to confirm whether the @deb MXs work
Y
]] James Cloos
It's usually a good idea to mail the people who actually run the
debian.org systems if you want help debugging problems like this.
> It turned out that buxtehude's exim doesn't like the (cacert-signed,
> wildcard) cert my box offers when sending mail.
2013-09-12 02:35:44 TLS erro
It turned out that buxtehude's exim doesn't like the (cacert-signed,
wildcard) cert my box offers when sending mail.
Blocking that allowed the TLS negotiation to complete, resulting in:
Verified TLS connection established to
buxtehude.debian.org[140.211.166.26]:25:
TLSv1.2 with cipher D
First of all, thanks for adding the TLSA RR for _25._tcp.buxtehude.debian.org.
It is a significant step forward, even given the following.
Sadly, using postfix 2.11-20130825-1 for outgoing smtp with:
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtp_dns_support_level = dnssec
sm
20 matches
Mail list logo
