diff options
author | gshapiro <gshapiro@FreeBSD.org> | 2015-06-17 02:39:10 +0000 |
---|---|---|
committer | gshapiro <gshapiro@FreeBSD.org> | 2015-06-17 02:39:10 +0000 |
commit | 9b4db397fdf1029e257adb4bd19638a17a842c22 (patch) | |
tree | d0e36d7d1d47a7a4fcbff1565c61a984ab620ce0 | |
parent | a0f8d115dc38aaa1b24cca666f85f46555a93fd6 (diff) | |
download | FreeBSD-src-9b4db397fdf1029e257adb4bd19638a17a842c22.zip FreeBSD-src-9b4db397fdf1029e257adb4bd19638a17a842c22.tar.gz |
MFC: The import of openssl to address the FreeBSD-SA-15:10.openssl security
advisory includes a change which rejects handshakes with DH parameters
below 768 bits. sendmail releases prior to 8.15.2 (not yet released),
defaulted to a 512 bit DH parameter setting for client connections.
This commit chages that default to 1024 bits. sendmail 8.15.2, when
released well use a default of 2048 bits.
-rw-r--r-- | contrib/sendmail/src/tls.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/contrib/sendmail/src/tls.c b/contrib/sendmail/src/tls.c index 75207ee..ca93ee8 100644 --- a/contrib/sendmail/src/tls.c +++ b/contrib/sendmail/src/tls.c @@ -650,7 +650,7 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar ** 1024 generate 1024 bit parameters ** 2048 generate 2048 bit parameters ** /file/name read parameters from /file/name - ** default is: 1024 for server, 512 for client (OK? XXX) + ** default is: 1024 */ if (bitset(TLS_I_TRY_DH, req)) @@ -676,8 +676,8 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar } if (dhparam == NULL) { - dhparam = srv ? "1" : "5"; - req |= (srv ? TLS_I_DH1024 : TLS_I_DH512); + dhparam = "1"; + req |= TLS_I_DH1024; } else if (*dhparam == '/') { |