diff options
author | delphij <delphij@FreeBSD.org> | 2015-06-18 05:36:45 +0000 |
---|---|---|
committer | delphij <delphij@FreeBSD.org> | 2015-06-18 05:36:45 +0000 |
commit | c77d1b2ce7c2c919cbc3d61d52132d7c88d6bc21 (patch) | |
tree | 1fca439ce450c4e0692adc0e0b882ce056ae301d | |
parent | 17b1c22cf566ffc540a06c72a7e24903d70bdbbc (diff) | |
download | FreeBSD-src-c77d1b2ce7c2c919cbc3d61d52132d7c88d6bc21.zip FreeBSD-src-c77d1b2ce7c2c919cbc3d61d52132d7c88d6bc21.tar.gz |
Raise the default for sendmail client connections to 1024-bit DH
parameters to imporve TLS/DH interoperability with newer SSL/TLS
suite, notably OpenSSL after FreeBSD 10.1-RELEASE-p12 (FreeBSD-
SA-15:10.openssl).
This is MFC of r284436 (gshapiro), the original commit message
was:
===
The import of openssl to address the FreeBSD-SA-15:10.openssl security
advisory includes a change which rejects handshakes with DH parameters
below 768 bits. sendmail releases prior to 8.15.2 (not yet released),
defaulted to a 512 bit DH parameter setting for client connections.
This commit chages that default to 1024 bits. sendmail 8.15.2, when
released well use a default of 2048 bits.
===
Reported by: Frank Seltzer
Errata Notice: FreeBSD-EN-15:08.sendmail
Approved by: so
-rw-r--r-- | UPDATING | 3 | ||||
-rw-r--r-- | contrib/sendmail/src/tls.c | 6 | ||||
-rw-r--r-- | sys/conf/newvers.sh | 2 |
3 files changed, 7 insertions, 4 deletions
@@ -16,6 +16,9 @@ from older versions of FreeBSD, try WITHOUT_CLANG to bootstrap to the tip of stable/10, and then rebuild without this option. The bootstrap process from older version of current is a bit fragile. +20150618: p13 FreeBSD-EN-15:08.sendmail + Improvements to sendmail TLS/DH interoperability. [EN-15:08] + 20150612: p12 FreeBSD-SA-15:10.openssl Fix multiple vulnerabilities in OpenSSL. [SA-15:10] diff --git a/contrib/sendmail/src/tls.c b/contrib/sendmail/src/tls.c index 75207ee..ca93ee8 100644 --- a/contrib/sendmail/src/tls.c +++ b/contrib/sendmail/src/tls.c @@ -650,7 +650,7 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar ** 1024 generate 1024 bit parameters ** 2048 generate 2048 bit parameters ** /file/name read parameters from /file/name - ** default is: 1024 for server, 512 for client (OK? XXX) + ** default is: 1024 */ if (bitset(TLS_I_TRY_DH, req)) @@ -676,8 +676,8 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar } if (dhparam == NULL) { - dhparam = srv ? "1" : "5"; - req |= (srv ? TLS_I_DH1024 : TLS_I_DH512); + dhparam = "1"; + req |= TLS_I_DH1024; } else if (*dhparam == '/') { diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index cba1d4e..25f4bae 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="10.1" -BRANCH="RELEASE-p12" +BRANCH="RELEASE-p13" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi |