[FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-15:08.sendmail
Gregory Shapiro
gshapiro at gshapiro.net
Sun Jun 21 05:55:32 UTC 2015
> I'll post a patch here by tomorrow for those willing to assist in testing.
As promised, there are two patches attached to this email, only one of which is needed (see below). This fixes the case where the DHParameters option is set to a file which doesn't exist, which is the case on newer versions of FreeBSD which enable STARTTLS by default by auto-creating TLS certificates.
The first attachment, new.patch, is just the change since the one committed to svn for the errata (i.e., if you have an up to date svn checkout, use this one). The second attachment, full.patch, is the full set of changes needed (i.e., the ones from the first errata to tls.c and the new one to sendmail.h for the outstanding fix). You only need one, don't try to apply both. Since the change is to a .h file, be sure to build carefully (either do a make depend or a make clean if not using a full buildworld).
If testing, please try before Monday and drop me a note (no need to reply-all) letting me know if you were successful or not.
-------------- next part --------------
Index: contrib/sendmail/src/sendmail.h
===================================================================
--- contrib/sendmail/src/sendmail.h (revision 284661)
+++ contrib/sendmail/src/sendmail.h (working copy)
@@ -1935,7 +1935,7 @@
/* server requirements */
#define TLS_I_SRV (TLS_I_SRV_CERT | TLS_I_RSA_TMP | TLS_I_VRFY_PATH | \
- TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH512 | \
+ TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH1024 | \
TLS_I_CACHE)
/* client requirements */
-------------- next part --------------
Index: contrib/sendmail/src/tls.c
===================================================================
--- contrib/sendmail/src/tls.c (revision 283856)
+++ contrib/sendmail/src/tls.c (working copy)
@@ -650,7 +650,7 @@
** 1024 generate 1024 bit parameters
** 2048 generate 2048 bit parameters
** /file/name read parameters from /file/name
- ** default is: 1024 for server, 512 for client (OK? XXX)
+ ** default is: 1024
*/
if (bitset(TLS_I_TRY_DH, req))
@@ -676,8 +676,8 @@
}
if (dhparam == NULL)
{
- dhparam = srv ? "1" : "5";
- req |= (srv ? TLS_I_DH1024 : TLS_I_DH512);
+ dhparam = "1";
+ req |= TLS_I_DH1024;
}
else if (*dhparam == '/')
{
Index: contrib/sendmail/src/sendmail.h
===================================================================
--- contrib/sendmail/src/sendmail.h (revision 283856)
+++ contrib/sendmail/src/sendmail.h (working copy)
@@ -1935,7 +1935,7 @@
/* server requirements */
#define TLS_I_SRV (TLS_I_SRV_CERT | TLS_I_RSA_TMP | TLS_I_VRFY_PATH | \
- TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH512 | \
+ TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH1024 | \
TLS_I_CACHE)
/* client requirements */
More information about the freebsd-stable
mailing list