svn commit: r284536 - in releng: 10.1 10.1/contrib/sendmail/src 10.1/sys/conf 8.4 8.4/contrib/sendmail/src 8.4/sys/conf 9.3 9.3/contrib/sendmail/src 9.3/sys/conf

Xin LI delphij at FreeBSD.org
Thu Jun 18 05:36:49 UTC 2015


Author: delphij
Date: Thu Jun 18 05:36:45 2015
New Revision: 284536
URL: https://svnweb.freebsd.org/changeset/base/284536

Log:
  Raise the default for sendmail client connections to 1024-bit DH
  parameters to imporve TLS/DH interoperability with newer SSL/TLS
  suite, notably OpenSSL after FreeBSD 10.1-RELEASE-p12 (FreeBSD-
  SA-15:10.openssl).
  
  This is MFC of r284436 (gshapiro), the original commit message
  was:
  
  ===
  The import of openssl to address the FreeBSD-SA-15:10.openssl security
  advisory includes a change which rejects handshakes with DH parameters
  below 768 bits.  sendmail releases prior to 8.15.2 (not yet released),
  defaulted to a 512 bit DH parameter setting for client connections.
  This commit chages that default to 1024 bits.  sendmail 8.15.2, when
  released well use a default of 2048 bits.
  ===
  
  Reported by:	Frank Seltzer
  Errata Notice:	FreeBSD-EN-15:08.sendmail
  Approved by:	so

Modified:
  releng/10.1/UPDATING
  releng/10.1/contrib/sendmail/src/tls.c
  releng/10.1/sys/conf/newvers.sh
  releng/8.4/UPDATING
  releng/8.4/contrib/sendmail/src/tls.c
  releng/8.4/sys/conf/newvers.sh
  releng/9.3/UPDATING
  releng/9.3/contrib/sendmail/src/tls.c
  releng/9.3/sys/conf/newvers.sh

Modified: releng/10.1/UPDATING
==============================================================================
--- releng/10.1/UPDATING	Thu Jun 18 02:04:20 2015	(r284535)
+++ releng/10.1/UPDATING	Thu Jun 18 05:36:45 2015	(r284536)
@@ -16,6 +16,9 @@ from older versions of FreeBSD, try WITH
 stable/10, and then rebuild without this option. The bootstrap process from
 older version of current is a bit fragile.
 
+20150618:	p13	FreeBSD-EN-15:08.sendmail
+	Improvements to sendmail TLS/DH interoperability. [EN-15:08]
+
 20150612:	p12	FreeBSD-SA-15:10.openssl
 	Fix multiple vulnerabilities in OpenSSL.  [SA-15:10]
 

Modified: releng/10.1/contrib/sendmail/src/tls.c
==============================================================================
--- releng/10.1/contrib/sendmail/src/tls.c	Thu Jun 18 02:04:20 2015	(r284535)
+++ releng/10.1/contrib/sendmail/src/tls.c	Thu Jun 18 05:36:45 2015	(r284536)
@@ -650,7 +650,7 @@ inittls(ctx, req, options, srv, certfile
 	**  1024	generate 1024 bit parameters
 	**  2048	generate 2048 bit parameters
 	**  /file/name	read parameters from /file/name
-	**  default is: 1024 for server, 512 for client (OK? XXX)
+	**  default is: 1024
 	*/
 
 	if (bitset(TLS_I_TRY_DH, req))
@@ -676,8 +676,8 @@ inittls(ctx, req, options, srv, certfile
 		}
 		if (dhparam == NULL)
 		{
-			dhparam = srv ? "1" : "5";
-			req |= (srv ? TLS_I_DH1024 : TLS_I_DH512);
+			dhparam = "1";
+			req |= TLS_I_DH1024;
 		}
 		else if (*dhparam == '/')
 		{

Modified: releng/10.1/sys/conf/newvers.sh
==============================================================================
--- releng/10.1/sys/conf/newvers.sh	Thu Jun 18 02:04:20 2015	(r284535)
+++ releng/10.1/sys/conf/newvers.sh	Thu Jun 18 05:36:45 2015	(r284536)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="10.1"
-BRANCH="RELEASE-p12"
+BRANCH="RELEASE-p13"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/8.4/UPDATING
==============================================================================
--- releng/8.4/UPDATING	Thu Jun 18 02:04:20 2015	(r284535)
+++ releng/8.4/UPDATING	Thu Jun 18 05:36:45 2015	(r284536)
@@ -15,6 +15,9 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
 	debugging tools present in HEAD were left in place because
 	sun4v support still needs work to become production ready.
 
+20150618:	p31	FreeBSD-EN-15:08.sendmail
+	Improvements to sendmail TLS/DH interoperability. [EN-15:08]
+
 20150612:	p30	FreeBSD-SA-15:10.openssl
 	Fix multiple vulnerabilities in OpenSSL.  [SA-15:10]
 

Modified: releng/8.4/contrib/sendmail/src/tls.c
==============================================================================
--- releng/8.4/contrib/sendmail/src/tls.c	Thu Jun 18 02:04:20 2015	(r284535)
+++ releng/8.4/contrib/sendmail/src/tls.c	Thu Jun 18 05:36:45 2015	(r284536)
@@ -648,7 +648,7 @@ inittls(ctx, req, options, srv, certfile
 	**  512		generate 512 bit parameters (fixed)
 	**  1024	generate 1024 bit parameters
 	**  /file/name	read parameters from /file/name
-	**  default is: 1024 for server, 512 for client (OK? XXX)
+	**  default is: 1024
 	*/
 
 	if (bitset(TLS_I_TRY_DH, req))
@@ -672,8 +672,8 @@ inittls(ctx, req, options, srv, certfile
 		}
 		if (dhparam == NULL)
 		{
-			dhparam = srv ? "1" : "5";
-			req |= (srv ? TLS_I_DH1024 : TLS_I_DH512);
+			dhparam = "1";
+			req |= TLS_I_DH1024;
 		}
 		else if (*dhparam == '/')
 		{

Modified: releng/8.4/sys/conf/newvers.sh
==============================================================================
--- releng/8.4/sys/conf/newvers.sh	Thu Jun 18 02:04:20 2015	(r284535)
+++ releng/8.4/sys/conf/newvers.sh	Thu Jun 18 05:36:45 2015	(r284536)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="8.4"
-BRANCH="RELEASE-p30"
+BRANCH="RELEASE-p31"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/9.3/UPDATING
==============================================================================
--- releng/9.3/UPDATING	Thu Jun 18 02:04:20 2015	(r284535)
+++ releng/9.3/UPDATING	Thu Jun 18 05:36:45 2015	(r284536)
@@ -11,6 +11,9 @@ handbook:
 Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running portupgrade.
 
+20150618:	p17	FreeBSD-EN-15:08.sendmail
+	Improvements to sendmail TLS/DH interoperability. [EN-15:08]
+
 20150612:	p16	FreeBSD-SA-15:10.openssl
 	Fix multiple vulnerabilities in OpenSSL.  [SA-15:10]
 

Modified: releng/9.3/contrib/sendmail/src/tls.c
==============================================================================
--- releng/9.3/contrib/sendmail/src/tls.c	Thu Jun 18 02:04:20 2015	(r284535)
+++ releng/9.3/contrib/sendmail/src/tls.c	Thu Jun 18 05:36:45 2015	(r284536)
@@ -650,7 +650,7 @@ inittls(ctx, req, options, srv, certfile
 	**  1024	generate 1024 bit parameters
 	**  2048	generate 2048 bit parameters
 	**  /file/name	read parameters from /file/name
-	**  default is: 1024 for server, 512 for client (OK? XXX)
+	**  default is: 1024
 	*/
 
 	if (bitset(TLS_I_TRY_DH, req))
@@ -676,8 +676,8 @@ inittls(ctx, req, options, srv, certfile
 		}
 		if (dhparam == NULL)
 		{
-			dhparam = srv ? "1" : "5";
-			req |= (srv ? TLS_I_DH1024 : TLS_I_DH512);
+			dhparam = "1";
+			req |= TLS_I_DH1024;
 		}
 		else if (*dhparam == '/')
 		{

Modified: releng/9.3/sys/conf/newvers.sh
==============================================================================
--- releng/9.3/sys/conf/newvers.sh	Thu Jun 18 02:04:20 2015	(r284535)
+++ releng/9.3/sys/conf/newvers.sh	Thu Jun 18 05:36:45 2015	(r284536)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="9.3"
-BRANCH="RELEASE-p16"
+BRANCH="RELEASE-p17"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi


More information about the svn-src-all mailing list