Bug#678238: root cause analysis
Phil Pennock
pdp at exim.org
Sun Jun 24 10:10:47 UTC 2012
GnuTLS 2.12.0 and later use p11-kit and chose to enable auto-loading of
modules by default when GnuTLS is initialised. It's unfortunate that
this combines badly with PKCS11 modules which expect to interact with
the user, but may well be correct for PKCS11 modules which interact with
a TPM store or some other device, to let the MTA have a secure identity
on a tamper-proof chip.
The current solution in Debian is my first pass "does this fix it for
you?" hack, which disables the module auto-loading. The version
committed to git for the next Exim release adds a new option
"gnutls_enable_pkcs11", defaulting to False, because with these GUI
keyring integration modules in the wild, the reporter is quite right:
the MTA should not be loading those modules.
IMO this is a failure of the module configuration mechanism used, the
user-interfaces for configuring those modules and a sign of a deeper
problem. But there's a way for us to avoid triggering those problems,
so we're now doing that by default.
More information about the Pkg-exim4-maintainers
mailing list