Date: Sun, 14 Jun 2015 09:55:07 -0700 From: Gregory Shapiro <gshapiro@gshapiro.net> To: Frank Seltzer <frank_s@bellsouth.net> Cc: freebsd-stable@freebsd.org Subject: Re: Sendmail problem after upgrade to r284296 Message-ID: <20150614165507.GD95564@minime.local> In-Reply-To: <alpine.BSF.2.20.1506141014130.852@Ace.nina.org> References: <alpine.BSF.2.20.1506141014130.852@Ace.nina.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> Jun 14 00:50:04 Ace sm-msp-queue[79406]: STARTTLS=client, error: connect failed=-1, reason=dh key too small, SSL_error=1, errno=0, retry=-1 > Jun 14 00:50:04 Ace sm-msp-queue[79406]: ruleset=tls_server, arg1=SOFTWARE, relay=[127.0.0.1], reject=403 4.7.0 TLS handshake. The new OpenSSL eliminated small DHParam support. That leaves two possibilities: 1. The remote side you are talking to is using a small value. The best thing to do would be to eliminate the DH ciphers from your settings. See the docs for the CipherList setting. 2. Your side is using a small value. Double check your setting: > grep DHParam /etc/mail/sendmail.cf # DHParameters (only required if DSA/DH is used) #O DHParameters If that is set to '5' (or a string beginning with 5) or a filename which was created with a 512 bit DHParam, change it to '2' (2048) or a newly created file using 'openssl dhparam -out /path/to/file 2048'. In your /etc/mail/`hostname`.mc file, this setting will show as confDH_PARAMETERS. Also note that the first version of the openssl fix including an ABI issue and a new version was released. Make sure you are using the latest version.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150614165507.GD95564>