Date: Mon, 16 Mar 2015 13:28:26 -0700 From: Gregory Shapiro <gshapiro@gshapiro.net> To: Julian Elischer <julian@freebsd.org> Cc: freebsd-security@freebsd.org Subject: Re: sendmail broken by libssl in current Message-ID: <20150316202826.GT66903@C02KM089FFRR.corp.proofpoint.com> In-Reply-To: <5500950E.9070905@freebsd.org> References: <54FFE774.50103@freebsd.org> <alpine.BSO.2.20.1503110042030.28688@morgaine.local> <20150311161549.GB16749@C02KM089FFRR.corp.proofpoint.com> <5500950E.9070905@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--5gxpn/Q6ypwruk0T
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
I've made the change in HEAD to turn off SSL padding (see attached mail message). Julian, can you test to see if it addresses the issue before I MFC?
--5gxpn/Q6ypwruk0T
Content-Type: message/rfc822
Content-Disposition: inline
Return-Path: <owner-src-committers@freebsd.org>
Received: from deliver ([unix socket])
by imap.gshapiro.net (Cyrus v2.4.17) with LMTPA;
Mon, 16 Mar 2015 13:24:45 -0700
X-Sieve: CMU Sieve 2.4
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on zim.gshapiro.net
X-Spam-Level:
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_HI,
RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_PASS,T_RP_MATCHES_RCVD autolearn=ham
autolearn_force=no version=3.4.0
Received: from mx2.freebsd.org (mx2.freebsd.org [8.8.178.116])
by zim.gshapiro.net (8.14.9/8.14.9) with ESMTP id t2GKOe7a045460
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL)
for <freebsd-cvs-committers@g.gshapiro.net>; Mon, 16 Mar 2015 13:24:43 -0700 (PDT)
(envelope-from owner-src-committers@freebsd.org)
Received: from hub.freebsd.org (hub.freebsd.org [8.8.178.136])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by mx2.freebsd.org (Postfix) with ESMTPS id 862443710;
Mon, 16 Mar 2015 20:24:40 +0000 (UTC)
Received: by hub.freebsd.org (Postfix, from userid 538)
id 7F63330A; Mon, 16 Mar 2015 20:24:40 +0000 (UTC)
Delivered-To: src-committers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by hub.freebsd.org (Postfix) with ESMTPS id 242B0308;
Mon, 16 Mar 2015 20:24:39 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client did not present a certificate)
by mx1.freebsd.org (Postfix) with ESMTPS id 0E984E6A;
Mon, 16 Mar 2015 20:24:39 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t2GKOcwW014428;
Mon, 16 Mar 2015 20:24:38 GMT
(envelope-from gshapiro@FreeBSD.org)
Received: (from gshapiro@localhost)
by svn.freebsd.org (8.14.9/8.14.9/Submit) id t2GKOcGj014427;
Mon, 16 Mar 2015 20:24:38 GMT
(envelope-from gshapiro@FreeBSD.org)
Message-Id: <201503162024.t2GKOcGj014427@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: gshapiro set sender to gshapiro@FreeBSD.org using -f
From: Gregory Neil Shapiro <gshapiro@FreeBSD.org>
Date: Mon, 16 Mar 2015 20:24:38 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
svn-src-head@freebsd.org
Subject: svn commit: r280155 - head/contrib/sendmail/src
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
X-Loop: FreeBSD.org
Sender: owner-src-committers@freebsd.org
Author: gshapiro
Date: Mon Mar 16 20:24:37 2015
New Revision: 280155
URL: https://svnweb.freebsd.org/changeset/base/280155
Log:
Default to turning off OpenSSL SSL_OP_TLSEXT_PADDING as it breaks
compatibility with some sites
This change comes from 8.15 but is being backported to FreeBSD releases
not yet using 8.15.
MFC after: 3 days
Noted by: julian@
Modified:
head/contrib/sendmail/src/readcf.c
Modified: head/contrib/sendmail/src/readcf.c
==============================================================================
--- head/contrib/sendmail/src/readcf.c Mon Mar 16 20:13:25 2015 (r280154)
+++ head/contrib/sendmail/src/readcf.c Mon Mar 16 20:24:37 2015 (r280155)
@@ -124,6 +124,11 @@ readcf(cfname, safe, e)
| SSL_OP_NO_TICKET
#endif
;
+# ifdef SSL_OP_TLSEXT_PADDING
+ /* SSL_OP_TLSEXT_PADDING breaks compatibility with some sites */
+ Srv_SSL_Options &= ~SSL_OP_TLSEXT_PADDING;
+ Clt_SSL_Options &= ~SSL_OP_TLSEXT_PADDING;
+# endif /* SSL_OP_TLSEXT_PADDING */
#endif /* STARTTLS */
if (DontLockReadFiles)
sff |= SFF_NOLOCK;
@@ -2406,6 +2411,9 @@ static struct ssl_options
#ifdef SSL_OP_CRYPTOPRO_TLSEXT_BUG
{ "SSL_OP_CRYPTOPRO_TLSEXT_BUG", SSL_OP_CRYPTOPRO_TLSEXT_BUG },
#endif
+#ifdef SSL_OP_TLSEXT_PADDING
+ { "SSL_OP_TLSEXT_PADDING", SSL_OP_TLSEXT_PADDING },
+#endif
{ NULL, 0 }
};
#endif /* STARTTLS && _FFR_TLS_1 */
--5gxpn/Q6ypwruk0T--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150316202826.GT66903>