Comments on: ETOOMANYCERTS http://www.outflux.net/blog/archives/2009/01/13/etoomanycerts/ code is freedom -- patching my itch Fri, 12 Mar 2010 03:50:35 -0800 http://wordpress.org/?v=2.8.4 hourly 1 By: kees http://www.outflux.net/blog/archives/2009/01/13/etoomanycerts/comment-page-1/#comment-707 kees Wed, 14 Jan 2009 18:43:47 +0000 http://www.outflux.net/blog/?p=179#comment-707 Yeah, it seems that my problem stemmed from a misunderstanding about the proper use of "CAfile". Once the TLS extensions got enable, I got spanked. :) Thanks for everyone's details! Yeah, it seems that my problem stemmed from a misunderstanding about the proper use of “CAfile”. Once the TLS extensions got enable, I got spanked. :) Thanks for everyone’s details!

]]> By: Kurt Roeckx http://www.outflux.net/blog/archives/2009/01/13/etoomanycerts/comment-page-1/#comment-706 Kurt Roeckx Wed, 14 Jan 2009 18:16:54 +0000 http://www.outflux.net/blog/?p=179#comment-706 The most important change in openssl is probably enabling tls extensions. I've seen various reports that it breaks something, and I wouldn't be surprised if outlooks also has a problem with it. Debian turned it on in version 0.9.8g-5, there was a security update for it (CVE-2008-1672, 0.9.8g-10.1) and then we backported a fix from 0.9.8h in 0.9.8g-13 that prevented iceweasel from connecting. Openssl upstream has changed the default to on in their latest release (a week ago) and I've already seen at least 2 bug reports about that since. Kurt The most important change in openssl is probably enabling tls extensions. I’ve seen various reports that it breaks something, and I wouldn’t be surprised if outlooks also has a problem with it. Debian turned it on in version 0.9.8g-5, there was a security update for it (CVE-2008-1672, 0.9.8g-10.1) and then we backported a fix from 0.9.8h in 0.9.8g-13 that prevented iceweasel from connecting. Openssl upstream has changed the default to on in their latest release (a week ago) and I’ve already seen at least 2 bug reports about that since.

Kurt

]]> By: Simon Josefsson http://www.outflux.net/blog/archives/2009/01/13/etoomanycerts/comment-page-1/#comment-705 Simon Josefsson Wed, 14 Jan 2009 13:19:54 +0000 http://www.outflux.net/blog/?p=179#comment-705 Trusting tons of CA's is the root problem here, I think. If you do not use client authentication and accept client certificates signed by all of these CAs, removing the CAs is the right thing to do. I think what changed between Hardy and Intrepid was likely the ca-certificates package. Perhaps the default was to not trust many CAs before, and this changed recently? Trusting tons of CA’s is the root problem here, I think. If you do not use client authentication and accept client certificates signed by all of these CAs, removing the CAs is the right thing to do. I think what changed between Hardy and Intrepid was likely the ca-certificates package. Perhaps the default was to not trust many CAs before, and this changed recently?

]]> By: mirabilos http://www.outflux.net/blog/archives/2009/01/13/etoomanycerts/comment-page-1/#comment-704 mirabilos Wed, 14 Jan 2009 09:17:52 +0000 http://www.outflux.net/blog/?p=179#comment-704 Hi, please see the second part of https://www.mirbsd.org/permalinks/wlog-10_e20090114-tg.htm for an answer which might be able to help. A fellow DM Hi, please see the second part of https://www.mirbsd.org/permalinks/wlog-10_e20090114-tg.htm
for an answer which might be able to help.

A fellow DM

]]>