diff options
author | gshapiro <gshapiro@FreeBSD.org> | 2015-06-15 04:18:29 +0000 |
---|---|---|
committer | gshapiro <gshapiro@FreeBSD.org> | 2015-06-15 04:18:29 +0000 |
commit | aec16290fa8b7ce22866b6a18711ba700a154396 (patch) | |
tree | ff94f7951a838f6d2797c9f3c73e9cae41a0305f /UPDATING | |
parent | 49767afbca65221cffaba3409a639a80060bad49 (diff) | |
download | FreeBSD-src-aec16290fa8b7ce22866b6a18711ba700a154396.zip FreeBSD-src-aec16290fa8b7ce22866b6a18711ba700a154396.tar.gz |
Add a quick (?) note for users who may be having sendmail interoperability issues
due to the recent (FreeBSD-SA-15:10.openssl) OpenSSL change to reject 512 bit
DH parameters. Affects 11-CURRENT and 10-STABLE.
Diffstat (limited to 'UPDATING')
-rw-r--r-- | UPDATING | 24 |
1 files changed, 24 insertions, 0 deletions
@@ -31,6 +31,30 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 11.x IS SLOW: disable the most expensive debugging functionality run "ln -s 'abort:false,junk:false' /etc/malloc.conf".) +20150614: + The import of openssl to address the FreeBSD-SA-15:10.openssl + security advisory includes a change which rejects handshakes + with DH parameters below 768 bits. sendmail releases prior + to 8.15.2 (not yet released), defaulted to a 512 bit + DH parameter setting for client connections. To work around + this interoperability, sendmail can be configured to use a + 2048 bit DH parameter by: + + 1. Edit /etc/mail/`hostname`.mc + 2. If a setting for confDH_PARAMETERS does not exist or + exists and is set to a string beginning with '5', + replace it with '2'. + 3. If a setting for confDH_PARAMETERS exists and is set to + a file path, create a new file with: + openssl dhparam -out /path/to/file 2048 + 4. Rebuild the .cf file: + cd /etc/mail/; make; make install + 5. Restart sendmail: + cd /etc/mail/; make restart + + A sendmail patch is coming, at which time this file will be + updated. + 20150604: Generation of legacy formatted entries have been disabled by default in pwd_mkdb(8), as all base system consumers of the legacy formatted |