From owner-freebsd-security@FreeBSD.ORG  Mon Mar 16 20:28:29 2015
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 5E00C571;
 Mon, 16 Mar 2015 20:28:29 +0000 (UTC)
Received: from zim.gshapiro.net (zim.gshapiro.net [IPv6:2001:4f8:3:36::224])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "smtp.gshapiro.net", Issuer "Certificate Authority" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 17878EA4;
 Mon, 16 Mar 2015 20:28:28 +0000 (UTC)
Received: from C02KM089FFRR.corp.proofpoint.com (mx2.proofpoint.com
 [208.86.202.10]) (authenticated bits=0)
 by zim.gshapiro.net (8.14.9/8.14.9) with ESMTP id t2GKSQDb045524
 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
 Mon, 16 Mar 2015 13:28:28 -0700 (PDT)
 (envelope-from gshapiro@gshapiro.net)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gshapiro.net;
 s=gatsby.dkim; t=1426537708;
 bh=j3Isyk8ZPeA6pfr/i8M8/WqaA7NiroS2RJtj1AY6JVI=;
 h=Date:From:To:Cc:Subject:References:In-Reply-To;
 b=DLX1gTXbHnHvNhWOOR8abk+//8wg+eGCTrXHR9RBLHHQP0rEpHddLkZIaMdWY3DLG
 Y/0uuQu1x5MmTTtzM5X3peXfoMAtNl+w74BhFMwiR7LMMA8N/tfby7MNEUr86hr+JH
 BPHjYbubsdlPLSNXkizEbLQM+ccfDlqymmOUKiCw=
Date: Mon, 16 Mar 2015 13:28:26 -0700
From: Gregory Shapiro <gshapiro@gshapiro.net>
To: Julian Elischer <julian@freebsd.org>
Subject: Re: sendmail broken by libssl in current
Message-ID: <20150316202826.GT66903@C02KM089FFRR.corp.proofpoint.com>
References: <54FFE774.50103@freebsd.org>
 <alpine.BSO.2.20.1503110042030.28688@morgaine.local>
 <20150311161549.GB16749@C02KM089FFRR.corp.proofpoint.com>
 <5500950E.9070905@freebsd.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="5gxpn/Q6ypwruk0T"
Content-Disposition: inline
In-Reply-To: <5500950E.9070905@freebsd.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-Mailman-Approved-At: Mon, 16 Mar 2015 20:38:05 +0000
Cc: freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2015 20:28:29 -0000


--5gxpn/Q6ypwruk0T
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

I've made the change in HEAD to turn off SSL padding (see attached mail message).  Julian, can you test to see if it addresses the issue before I MFC?


--5gxpn/Q6ypwruk0T
Content-Type: message/rfc822
Content-Disposition: inline

Return-Path: <owner-src-committers@freebsd.org>
Received: from deliver ([unix socket])
	 by imap.gshapiro.net (Cyrus v2.4.17) with LMTPA;
	 Mon, 16 Mar 2015 13:24:45 -0700
X-Sieve: CMU Sieve 2.4
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on zim.gshapiro.net
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_HI,
	RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_PASS,T_RP_MATCHES_RCVD autolearn=ham
	autolearn_force=no version=3.4.0
Received: from mx2.freebsd.org (mx2.freebsd.org [8.8.178.116])
	by zim.gshapiro.net (8.14.9/8.14.9) with ESMTP id t2GKOe7a045460
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL)
	for <freebsd-cvs-committers@g.gshapiro.net>; Mon, 16 Mar 2015 13:24:43 -0700 (PDT)
	(envelope-from owner-src-committers@freebsd.org)
Received: from hub.freebsd.org (hub.freebsd.org [8.8.178.136])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx2.freebsd.org (Postfix) with ESMTPS id 862443710;
	Mon, 16 Mar 2015 20:24:40 +0000 (UTC)
Received: by hub.freebsd.org (Postfix, from userid 538)
	id 7F63330A; Mon, 16 Mar 2015 20:24:40 +0000 (UTC)
Delivered-To: src-committers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by hub.freebsd.org (Postfix) with ESMTPS id 242B0308;
	Mon, 16 Mar 2015 20:24:39 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 0E984E6A;
	Mon, 16 Mar 2015 20:24:39 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
	by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t2GKOcwW014428;
	Mon, 16 Mar 2015 20:24:38 GMT
	(envelope-from gshapiro@FreeBSD.org)
Received: (from gshapiro@localhost)
	by svn.freebsd.org (8.14.9/8.14.9/Submit) id t2GKOcGj014427;
	Mon, 16 Mar 2015 20:24:38 GMT
	(envelope-from gshapiro@FreeBSD.org)
Message-Id: <201503162024.t2GKOcGj014427@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: gshapiro set sender to gshapiro@FreeBSD.org using -f
From: Gregory Neil Shapiro <gshapiro@FreeBSD.org>
Date: Mon, 16 Mar 2015 20:24:38 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
        svn-src-head@freebsd.org
Subject: svn commit: r280155 - head/contrib/sendmail/src
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
X-Loop: FreeBSD.org
Sender: owner-src-committers@freebsd.org

Author: gshapiro
Date: Mon Mar 16 20:24:37 2015
New Revision: 280155
URL: https://svnweb.freebsd.org/changeset/base/280155

Log:
  Default to turning off OpenSSL SSL_OP_TLSEXT_PADDING as it breaks
  compatibility with some sites
  
  This change comes from 8.15 but is being backported to FreeBSD releases
  not yet using 8.15.
  
  MFC after:	3 days
  Noted by:	julian@

Modified:
  head/contrib/sendmail/src/readcf.c

Modified: head/contrib/sendmail/src/readcf.c
==============================================================================
--- head/contrib/sendmail/src/readcf.c	Mon Mar 16 20:13:25 2015	(r280154)
+++ head/contrib/sendmail/src/readcf.c	Mon Mar 16 20:24:37 2015	(r280155)
@@ -124,6 +124,11 @@ readcf(cfname, safe, e)
 		| SSL_OP_NO_TICKET
 #endif
 		;
+# ifdef SSL_OP_TLSEXT_PADDING
+	/* SSL_OP_TLSEXT_PADDING breaks compatibility with some sites */
+	Srv_SSL_Options &= ~SSL_OP_TLSEXT_PADDING;
+	Clt_SSL_Options &= ~SSL_OP_TLSEXT_PADDING;
+# endif /* SSL_OP_TLSEXT_PADDING */
 #endif /* STARTTLS */
 	if (DontLockReadFiles)
 		sff |= SFF_NOLOCK;
@@ -2406,6 +2411,9 @@ static struct ssl_options
 #ifdef SSL_OP_CRYPTOPRO_TLSEXT_BUG
 	{ "SSL_OP_CRYPTOPRO_TLSEXT_BUG",	SSL_OP_CRYPTOPRO_TLSEXT_BUG	},
 #endif
+#ifdef SSL_OP_TLSEXT_PADDING
+	{ "SSL_OP_TLSEXT_PADDING",	SSL_OP_TLSEXT_PADDING	},
+#endif
 	{ NULL,		0		}
 };
 #endif /* STARTTLS && _FFR_TLS_1 */


--5gxpn/Q6ypwruk0T--