Date: Wed, 12 Oct 2011 10:36:44 -0700 From: Chuck Swiger <cswiger@mac.com> To: dweimer@dweimer.net Cc: freebsd-questions@freebsd.org Subject: Re: somewhat Off topic, Sendmail Issue Message-ID: <96D84300-128D-499C-8762-3A0EA4790A08@mac.com> In-Reply-To: <c867f6af02b1d0117bddbe0db805e668@www.dweimer.net> References: <c867f6af02b1d0117bddbe0db805e668@www.dweimer.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi--
On Oct 12, 2011, at 8:29 AM, Dean E. Weimer wrote:
> I know that setting this option in Apache does the trick for HTTPS, I just need to figure out how to tell Sendmail to do the same.
> SSLCipherSuite ALL:!aNULL:!eNULL:!LOW:!EXP:!ADH:RC4+RSA:+HIGH:+MEDIUM:!SSLv2
>
> If anyone has any idea how to do this, or any idea on what keywords to search on that might find me the directions it would be a great help.
If you can't find a way of specifying the allowed SSL ciphers via sendmail config (as someone mentioned, you can test ${cipher_bits} against ENCR:bits, but that doesn't disable anonymous ciphers like ADH entirely), you can build a modern flavor of OpenSSL to /usr/local with the ciphers you don't like disabled, and rebuild sendmail against this OpenSSL.
I believe that the security/openssl already does most of this for you, and would be easy to tweak a bit more if that's needed.
Regards,
--
-Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?96D84300-128D-499C-8762-3A0EA4790A08>