Big CA certificate bundle causes problems with GnuTLS 3.0.11

Phil Pennock help-gnutls-phil at
Wed May 30 05:47:54 CEST 2012

On 2012-05-30 at 03:10 +0000, Janne Snabb wrote:
> Google is one big e-mail sender that presents a client certificate signed
> by one of the ~150 "well-known" CAs (I have not checked which one). There
> are other similar but smaller mail senders also.

Equifax, apparently:

52394 SSL verify ok: depth=2 cert=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
52394 SSL verify ok: depth=1 cert=/C=US/O=Google Inc/CN=Google Internet Authority
52394 SSL peer: /C=US/ST=California/L=Mountain View/O=Google Inc/

Hrm, Exim needs a +tls_peer_issuerdn log selector.


More information about the Gnutls-help mailing list