Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 15 Jun 2015 04:18:30 +0000 (UTC)
From:      Gregory Neil Shapiro <gshapiro@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r284403 - head
Message-ID:  <201506150418.t5F4IUJh047328@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: gshapiro
Date: Mon Jun 15 04:18:29 2015
New Revision: 284403
URL: https://svnweb.freebsd.org/changeset/base/284403

Log:
  Add a quick (?) note for users who may be having sendmail interoperability issues
  due to the recent (FreeBSD-SA-15:10.openssl) OpenSSL change to reject 512 bit
  DH parameters.  Affects 11-CURRENT and 10-STABLE.

Modified:
  head/UPDATING

Modified: head/UPDATING
==============================================================================
--- head/UPDATING	Mon Jun 15 01:04:01 2015	(r284402)
+++ head/UPDATING	Mon Jun 15 04:18:29 2015	(r284403)
@@ -31,6 +31,30 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 11
 	disable the most expensive debugging functionality run
 	"ln -s 'abort:false,junk:false' /etc/malloc.conf".)
 
+20150614:
+	The import of openssl to address the FreeBSD-SA-15:10.openssl
+	security advisory includes a change which rejects handshakes
+	with DH parameters below 768 bits.  sendmail releases prior
+	to 8.15.2 (not yet released), defaulted to a 512 bit
+	DH parameter setting for client connections.  To work around
+	this interoperability, sendmail can be configured to use a
+	2048 bit DH parameter by:
+
+	1. Edit /etc/mail/`hostname`.mc 
+	2. If a setting for confDH_PARAMETERS does not exist or
+	   exists and is set to a string beginning with '5',
+	   replace it with '2'.
+	3. If a setting for confDH_PARAMETERS exists and is set to
+	   a file path, create a new file with:
+		openssl dhparam -out /path/to/file 2048
+	4. Rebuild the .cf file:
+		cd /etc/mail/; make; make install
+	5. Restart sendmail:
+		cd /etc/mail/; make restart
+
+	A sendmail patch is coming, at which time this file will be
+	updated.
+
 20150604:
 	Generation of legacy formatted entries have been disabled by default
 	in pwd_mkdb(8), as all base system consumers of the legacy formatted

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201506150418.t5F4IUJh047328>