Date: Sat, 20 Jun 2015 22:55:29 -0700 From: Gregory Shapiro <gshapiro@gshapiro.net> To: FreeBSD Errata Notices <errata-notices@freebsd.org>, freebsd-stable <freebsd-stable@freebsd.org> Subject: Re: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-15:08.sendmail Message-ID: <20150621055529.GC51738@minime.local> In-Reply-To: <20150620032245.GF45374@minime.local> References: <201506180553.t5I5rKlO059969@freefall.freebsd.org> <20150618112132.GD7234@pol-server.leissner.se> <CA%2BE3k91zj4Tt5BQKNbE5dn1FvykCbn=E1xhFjrkU18jMnL6DCw@mail.gmail.com> <20150618132211.GO7234@pol-server.leissner.se> <20150618151032.GB42082@minime.local> <20150618151608.GB3755@pol-server.leissner.se> <20150618154115.GA68153@C02N93Y5G3QT.corp.proofpoint.com> <20150620032245.GF45374@minime.local>
next in thread | previous in thread | raw e-mail | index | archive | help
--ibTvN161/egqYuK8
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
> I'll post a patch here by tomorrow for those willing to assist in testing.
As promised, there are two patches attached to this email, only one of which is needed (see below). This fixes the case where the DHParameters option is set to a file which doesn't exist, which is the case on newer versions of FreeBSD which enable STARTTLS by default by auto-creating TLS certificates.
The first attachment, new.patch, is just the change since the one committed to svn for the errata (i.e., if you have an up to date svn checkout, use this one). The second attachment, full.patch, is the full set of changes needed (i.e., the ones from the first errata to tls.c and the new one to sendmail.h for the outstanding fix). You only need one, don't try to apply both. Since the change is to a .h file, be sure to build carefully (either do a make depend or a make clean if not using a full buildworld).
If testing, please try before Monday and drop me a note (no need to reply-all) letting me know if you were successful or not.
--ibTvN161/egqYuK8
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="new.patch"
Index: contrib/sendmail/src/sendmail.h
===================================================================
--- contrib/sendmail/src/sendmail.h (revision 284661)
+++ contrib/sendmail/src/sendmail.h (working copy)
@@ -1935,7 +1935,7 @@
/* server requirements */
#define TLS_I_SRV (TLS_I_SRV_CERT | TLS_I_RSA_TMP | TLS_I_VRFY_PATH | \
- TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH512 | \
+ TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH1024 | \
TLS_I_CACHE)
/* client requirements */
--ibTvN161/egqYuK8
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="full.patch"
Index: contrib/sendmail/src/tls.c
===================================================================
--- contrib/sendmail/src/tls.c (revision 283856)
+++ contrib/sendmail/src/tls.c (working copy)
@@ -650,7 +650,7 @@
** 1024 generate 1024 bit parameters
** 2048 generate 2048 bit parameters
** /file/name read parameters from /file/name
- ** default is: 1024 for server, 512 for client (OK? XXX)
+ ** default is: 1024
*/
if (bitset(TLS_I_TRY_DH, req))
@@ -676,8 +676,8 @@
}
if (dhparam == NULL)
{
- dhparam = srv ? "1" : "5";
- req |= (srv ? TLS_I_DH1024 : TLS_I_DH512);
+ dhparam = "1";
+ req |= TLS_I_DH1024;
}
else if (*dhparam == '/')
{
Index: contrib/sendmail/src/sendmail.h
===================================================================
--- contrib/sendmail/src/sendmail.h (revision 283856)
+++ contrib/sendmail/src/sendmail.h (working copy)
@@ -1935,7 +1935,7 @@
/* server requirements */
#define TLS_I_SRV (TLS_I_SRV_CERT | TLS_I_RSA_TMP | TLS_I_VRFY_PATH | \
- TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH512 | \
+ TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH1024 | \
TLS_I_CACHE)
/* client requirements */
--ibTvN161/egqYuK8--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150621055529.GC51738>