sendmail broken by libssl in current
Xin Li
delphij at delphij.net
Wed Mar 11 07:14:19 UTC 2015
On 3/10/15 23:57, Julian Elischer wrote:
> [sorry for reposting but the original copy I got back had been truncated]
>
> libssl has a new "feature"
> implemented by:
> crypto/openssl/ssl/t1_lib.c
>
> 672 /* Add padding to workaround bugs in F5 terminators.
> 673 * See https://tools.ietf.org/html/draft-agl-tls-padding-03
> 674 *
> 675 * NB: because this code works out the length of all
> existing
> 676 * extensions it MUST always appear last.
> 677 */
> 678 //if (s->options & SSL_OP_TLSEXT_PADDING)
>
> unfortunatly this makes sendmail incompatible with various email servers
> around the world,
> including (apparently (ironically (*))) Ironport email gateways.
> It fails in TLS handshake.
I hate workarounds of workarounds :(
How about this?
%%%
Index: contrib/sendmail/src/readcf.c
===================================================================
--- contrib/sendmail/src/readcf.c (revision 279857)
+++ contrib/sendmail/src/readcf.c (working copy)
@@ -116,7 +116,7 @@ readcf(cfname, safe, e)
#if STARTTLS
Srv_SSL_Options = SSL_OP_ALL;
- Clt_SSL_Options = SSL_OP_ALL
+ Clt_SSL_Options = SSL_OP_ALL & ~SSL_OP_TLSEXT_PADDING
#ifdef SSL_OP_NO_SSLv2
| SSL_OP_NO_SSLv2
#endif
%%%
Cheers,
More information about the freebsd-security
mailing list