MFC: The import of openssl to address the FreeBSD-SA-15:10.openssl security

     advisory includes a change which rejects handshakes with DH parameters
     below 768 bits.  sendmail releases prior to 8.15.2 (not yet released),
     defaulted to a 512 bit DH parameter setting for client connections.
     This commit chages that default to 1024 bits.  sendmail 8.15.2, when
     released well use a default of 2048 bits.

1 files changed, 3 insertions, 3 deletions

diff --git a/contrib/sendmail/src/tls.c b/contrib/sendmail/src/tls.c
index 75207ee..ca93ee8 100644
--- a/contrib/sendmail/src/tls.c
+++ b/contrib/sendmail/src/tls.c
@@ -650,7 +650,7 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
 	**  1024	generate 1024 bit parameters
 	**  2048	generate 2048 bit parameters
 	**  /file/name	read parameters from /file/name
-	**  default is: 1024 for server, 512 for client (OK? XXX)
+	**  default is: 1024
 	*/
 
 	if (bitset(TLS_I_TRY_DH, req))
@@ -676,8 +676,8 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar
 		}
 		if (dhparam == NULL)
 		{
-			dhparam = srv ? "1" : "5";
-			req |= (srv ? TLS_I_DH1024 : TLS_I_DH512);
+			dhparam = "1";
+			req |= TLS_I_DH1024;
 		}
 		else if (*dhparam == '/')
 		{