Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 10 Mar 2015 23:57:56 -0700
From:      Julian Elischer <julian@freebsd.org>
To:        freebsd security <freebsd-security@freebsd.org>, current@freebsd.com
Cc:        Gregory Shapiro <gshapiro@gshapiro.net>
Subject:   sendmail broken by libssl in current
Message-ID:  <54FFE774.50103@freebsd.org>
next in thread | raw e-mail | index | archive | help 
[sorry for reposting but the original copy I got back had been truncated]

libssl has a new "feature"
implemented by:
crypto/openssl/ssl/t1_lib.c

     672         /* Add padding to workaround bugs in F5 terminators.
     673          * See 
https://tools.ietf.org/html/draft-agl-tls-padding-03
     674          *
     675          * NB: because this code works out the length of all 
existing
     676          * extensions it MUST always appear last.
     677          */
     678         //if (s->options & SSL_OP_TLSEXT_PADDING)

unfortunatly this makes sendmail incompatible with various email 
servers around the world,
including (apparently (ironically (*))) Ironport email gateways.
It fails in TLS handshake.
These are commonly installed at companies and government departments.
consequently if you are mailing an important documant to your bank, or 
maybe some tax information to
your friendly tax department, youe emails sit in your queue for a week 
until they time out and get dropped.
(you may r may not get notified depending on your spam filters)

I had to make the following "fix" to libssl to get sendmail to be able 
to get my tax forms out.

Index: crypto/openssl/ssl/t1_lib.c
===================================================================
--- crypto/openssl/ssl/t1_lib.c    (revision 279747)
+++ crypto/openssl/ssl/t1_lib.c    (working copy)
@@ -675,7 +675,8 @@
       * NB: because this code works out the length of all existing
       * extensions it MUST always appear last.
       */
-    if (s->options & SSL_OP_TLSEXT_PADDING)
+    //if (s->options & SSL_OP_TLSEXT_PADDING)
+    if (0)
          {
          int hlen = ret - (unsigned char *)s->init_buf->data;
          /* The code in s23_clnt.c to build ClientHello messages




I saw some hints that there is a change in send mail somewhere that gets
around this but haven't been able to find the exact configuration 
change required
to make it happen.

Julian

(*) Ironically because :
1/ Ironport runs on FreeBSD
2/ I used to work there.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54FFE774.50103>