From owner-freebsd-security@FreeBSD.ORG Wed Mar 11 06:58:04 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C2380275 for ; Wed, 11 Mar 2015 06:58:04 +0000 (UTC) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "vps1.elischer.org", Issuer "CA Cert Signing Authority" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 95FED9CC for ; Wed, 11 Mar 2015 06:58:04 +0000 (UTC) Received: from Julian-MBP3.local (50-196-156-133-static.hfc.comcastbusiness.net [50.196.156.133]) (authenticated bits=0) by vps1.elischer.org (8.14.9/8.14.9) with ESMTP id t2B6w1rw014065 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Tue, 10 Mar 2015 23:58:02 -0700 (PDT) (envelope-from julian@freebsd.org) Message-ID: <54FFE774.50103@freebsd.org> Date: Tue, 10 Mar 2015 23:57:56 -0700 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: freebsd security , current@freebsd.com Subject: sendmail broken by libssl in current Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Cc: Gregory Shapiro X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2015 06:58:04 -0000 [sorry for reposting but the original copy I got back had been truncated] libssl has a new "feature" implemented by: crypto/openssl/ssl/t1_lib.c 672 /* Add padding to workaround bugs in F5 terminators. 673 * See https://tools.ietf.org/html/draft-agl-tls-padding-03 674 * 675 * NB: because this code works out the length of all existing 676 * extensions it MUST always appear last. 677 */ 678 //if (s->options & SSL_OP_TLSEXT_PADDING) unfortunatly this makes sendmail incompatible with various email servers around the world, including (apparently (ironically (*))) Ironport email gateways. It fails in TLS handshake. These are commonly installed at companies and government departments. consequently if you are mailing an important documant to your bank, or maybe some tax information to your friendly tax department, youe emails sit in your queue for a week until they time out and get dropped. (you may r may not get notified depending on your spam filters) I had to make the following "fix" to libssl to get sendmail to be able to get my tax forms out. Index: crypto/openssl/ssl/t1_lib.c =================================================================== --- crypto/openssl/ssl/t1_lib.c (revision 279747) +++ crypto/openssl/ssl/t1_lib.c (working copy) @@ -675,7 +675,8 @@ * NB: because this code works out the length of all existing * extensions it MUST always appear last. */ - if (s->options & SSL_OP_TLSEXT_PADDING) + //if (s->options & SSL_OP_TLSEXT_PADDING) + if (0) { int hlen = ret - (unsigned char *)s->init_buf->data; /* The code in s23_clnt.c to build ClientHello messages I saw some hints that there is a change in send mail somewhere that gets around this but haven't been able to find the exact configuration change required to make it happen. Julian (*) Ironically because : 1/ Ironport runs on FreeBSD 2/ I used to work there.