From owner-freebsd-security@FreeBSD.ORG  Wed Mar 11 19:01:30 2015
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id AF186EC7;
 Wed, 11 Mar 2015 19:01:30 +0000 (UTC)
Received: from proper.com (Opus1.Proper.COM [207.182.41.91])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 887F4C89;
 Wed, 11 Mar 2015 19:01:30 +0000 (UTC)
Received: from [10.20.30.101] (50-1-99-2.dsl.dynamic.fusionbroadband.com
 [50.1.99.2]) (authenticated bits=0)
 by proper.com (8.15.1/8.14.9) with ESMTPSA id t2BJ1RiJ026383
 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
 Wed, 11 Mar 2015 12:01:28 -0700 (MST)
 (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: proper.com: Host
 50-1-99-2.dsl.dynamic.fusionbroadband.com [50.1.99.2] claimed to be
 [10.20.30.101]
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
Subject: Re: sendmail broken by libssl in current
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <20150311161549.GB16749@C02KM089FFRR.corp.proofpoint.com>
Date: Wed, 11 Mar 2015 12:01:26 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <F4FA7F6D-BB64-41CB-A6E1-3670C0F17870@vpnc.org>
References: <54FFE774.50103@freebsd.org>
 <alpine.BSO.2.20.1503110042030.28688@morgaine.local>
 <20150311161549.GB16749@C02KM089FFRR.corp.proofpoint.com>
To: Gregory Shapiro <gshapiro@freebsd.org>
X-Mailer: Apple Mail (2.2070.6)
X-Mailman-Approved-At: Wed, 11 Mar 2015 20:11:56 +0000
Cc: freebsd security <freebsd-security@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2015 19:01:30 -0000

On Mar 11, 2015, at 9:15 AM, Gregory Shapiro <gshapiro@freebsd.org> =
wrote:
> First, thank you Philip for jumping on this.  Much appreciated.
>=20
>> This wonderful change (cough) to include SSL_OP_TLSEXT_PADDING in=20
>> SSL_OP_ALL was addressed in sendmail 8.15.1, which explicitly removes=20=

>> SSL_OP_TLSEXT_PADDING from the default ClientSSLOptions value if that=20=

>> #define exists.  I believe Greg is working on importing that to =
FreeBSD.
>=20
> sendmail 8.15.1 is imported into the vendor area but not merged due to =
an incompatible change that is being moved into a run-time configuration =
variable in 8.15.2.  Rather than expose the FreeBSD populate to the =
churn from that change, I am skipping 8.15.1 and will import 8.15.2.
>=20
> That being said, I can certainly make the local fix that Philip =
mention to take care of the padding issue.  Is the new libssl in =
11-CURRENT going to be/already been MFC'ed to other branches?

I'm still *really* hesitant for us to be patching OpenSSL for a bug on a =
middlebox vendor's system that already has a fix.

--Paul Hoffman=