From owner-freebsd-stable@FreeBSD.ORG Sun Jun 21 05:55:32 2015 Return-Path: Delivered-To: freebsd-stable@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 962D94AD; Sun, 21 Jun 2015 05:55:32 +0000 (UTC) (envelope-from gshapiro@gshapiro.net) Received: from zim.gshapiro.net (zim.gshapiro.net [IPv6:2001:4f8:3:36::224]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.gshapiro.net", Issuer "Certificate Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7824191B; Sun, 21 Jun 2015 05:55:32 +0000 (UTC) (envelope-from gshapiro@gshapiro.net) Received: from minime.local ([IPv6:2601:647:4e01:8f7b:3119:4472:b3b8:15f2]) (authenticated bits=0) by zim.gshapiro.net (8.15.1.30/8.15.1.30) with ESMTPSA id t5L5tTDK076596 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 20 Jun 2015 22:55:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gshapiro.net; s=gatsby.dkim; t=1434866132; bh=sMZam+daLMIiJz1MNQDIrKLhRwYjzUJrFM65+lVSkFY=; h=Date:From:To:Subject:References:In-Reply-To; b=Fu/2vDCW5BbGSLUrwVbWdK+t1t6+cbLtWuVyjCbkXk6K2vjAlflHRtjLtrWQZ5ghO 4KbFpejpXL4CTDJYcnb1N2Q4s8wtEhnQg35dd5gvNQYLqmdBJUiZoU5GTMtRn/rHg9 TrtRtAqNJkgJt7kXF+vXB0wU2SDutrQ47yXPGBqw= Date: Sat, 20 Jun 2015 22:55:29 -0700 From: Gregory Shapiro To: FreeBSD Errata Notices , freebsd-stable Subject: Re: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-15:08.sendmail Message-ID: <20150621055529.GC51738@minime.local> References: <201506180553.t5I5rKlO059969@freefall.freebsd.org> <20150618112132.GD7234@pol-server.leissner.se> <20150618132211.GO7234@pol-server.leissner.se> <20150618151032.GB42082@minime.local> <20150618151608.GB3755@pol-server.leissner.se> <20150618154115.GA68153@C02N93Y5G3QT.corp.proofpoint.com> <20150620032245.GF45374@minime.local> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="ibTvN161/egqYuK8" Content-Disposition: inline In-Reply-To: <20150620032245.GF45374@minime.local> User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Jun 2015 05:55:32 -0000 --ibTvN161/egqYuK8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline > I'll post a patch here by tomorrow for those willing to assist in testing. As promised, there are two patches attached to this email, only one of which is needed (see below). This fixes the case where the DHParameters option is set to a file which doesn't exist, which is the case on newer versions of FreeBSD which enable STARTTLS by default by auto-creating TLS certificates. The first attachment, new.patch, is just the change since the one committed to svn for the errata (i.e., if you have an up to date svn checkout, use this one). The second attachment, full.patch, is the full set of changes needed (i.e., the ones from the first errata to tls.c and the new one to sendmail.h for the outstanding fix). You only need one, don't try to apply both. Since the change is to a .h file, be sure to build carefully (either do a make depend or a make clean if not using a full buildworld). If testing, please try before Monday and drop me a note (no need to reply-all) letting me know if you were successful or not. --ibTvN161/egqYuK8 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="new.patch" Index: contrib/sendmail/src/sendmail.h =================================================================== --- contrib/sendmail/src/sendmail.h (revision 284661) +++ contrib/sendmail/src/sendmail.h (working copy) @@ -1935,7 +1935,7 @@ /* server requirements */ #define TLS_I_SRV (TLS_I_SRV_CERT | TLS_I_RSA_TMP | TLS_I_VRFY_PATH | \ - TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH512 | \ + TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH1024 | \ TLS_I_CACHE) /* client requirements */ --ibTvN161/egqYuK8 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="full.patch" Index: contrib/sendmail/src/tls.c =================================================================== --- contrib/sendmail/src/tls.c (revision 283856) +++ contrib/sendmail/src/tls.c (working copy) @@ -650,7 +650,7 @@ ** 1024 generate 1024 bit parameters ** 2048 generate 2048 bit parameters ** /file/name read parameters from /file/name - ** default is: 1024 for server, 512 for client (OK? XXX) + ** default is: 1024 */ if (bitset(TLS_I_TRY_DH, req)) @@ -676,8 +676,8 @@ } if (dhparam == NULL) { - dhparam = srv ? "1" : "5"; - req |= (srv ? TLS_I_DH1024 : TLS_I_DH512); + dhparam = "1"; + req |= TLS_I_DH1024; } else if (*dhparam == '/') { Index: contrib/sendmail/src/sendmail.h =================================================================== --- contrib/sendmail/src/sendmail.h (revision 283856) +++ contrib/sendmail/src/sendmail.h (working copy) @@ -1935,7 +1935,7 @@ /* server requirements */ #define TLS_I_SRV (TLS_I_SRV_CERT | TLS_I_RSA_TMP | TLS_I_VRFY_PATH | \ - TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH512 | \ + TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH1024 | \ TLS_I_CACHE) /* client requirements */ --ibTvN161/egqYuK8--