From 2978a935175f0a3d6b720f42dc9e8273692552d4 Mon Sep 17 00:00:00 2001
From: gshapiro <gshapiro@FreeBSD.org>
Date: Thu, 25 Jun 2015 01:49:44 +0000
Subject: MFC: An additional fix for the openssl Weak DH remediation:

     The import of openssl to address the FreeBSD-SA-15:10.openssl security
     advisory includes a change which rejects handshakes with DH parameters
     below 768 bits.  sendmail releases prior to 8.15.2 (not yet released),
     defaulted to a 512 bit DH parameter setting for client connections.

     The first fix committed last week changed the default to 1024 bits.

     This commit fixes the case where the DHParameters option is set to a
     file which doesn't exist, which is the case on newer versions of
     FreeBSD which enable STARTTLS by default by auto-creating TLS
     certificates.
---
 contrib/sendmail/src/sendmail.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'contrib/sendmail')

diff --git a/contrib/sendmail/src/sendmail.h b/contrib/sendmail/src/sendmail.h
index 1a079c0..07a58e9 100644
--- a/contrib/sendmail/src/sendmail.h
+++ b/contrib/sendmail/src/sendmail.h
@@ -1935,7 +1935,7 @@ struct termescape
 
 /* server requirements */
 #define TLS_I_SRV	(TLS_I_SRV_CERT | TLS_I_RSA_TMP | TLS_I_VRFY_PATH | \
-			 TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH512 | \
+			 TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH1024 | \
 			 TLS_I_CACHE)
 
 /* client requirements */
-- 
cgit v1.1