Date: Wed, 11 Mar 2015 00:14:17 -0700 From: Xin Li <delphij@delphij.net> To: Julian Elischer <julian@freebsd.org>, freebsd security <freebsd-security@freebsd.org>, current@freebsd.com Cc: Gregory Shapiro <gshapiro@gshapiro.net> Subject: Re: sendmail broken by libssl in current Message-ID: <54FFEB49.5030706@delphij.net> In-Reply-To: <54FFE774.50103@freebsd.org> References: <54FFE774.50103@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3/10/15 23:57, Julian Elischer wrote: > [sorry for reposting but the original copy I got back had been truncated] > > libssl has a new "feature" > implemented by: > crypto/openssl/ssl/t1_lib.c > > 672 /* Add padding to workaround bugs in F5 terminators. > 673 * See https://tools.ietf.org/html/draft-agl-tls-padding-03 > 674 * > 675 * NB: because this code works out the length of all > existing > 676 * extensions it MUST always appear last. > 677 */ > 678 //if (s->options & SSL_OP_TLSEXT_PADDING) > > unfortunatly this makes sendmail incompatible with various email servers > around the world, > including (apparently (ironically (*))) Ironport email gateways. > It fails in TLS handshake. I hate workarounds of workarounds :( How about this? %%% Index: contrib/sendmail/src/readcf.c =================================================================== --- contrib/sendmail/src/readcf.c (revision 279857) +++ contrib/sendmail/src/readcf.c (working copy) @@ -116,7 +116,7 @@ readcf(cfname, safe, e) #if STARTTLS Srv_SSL_Options = SSL_OP_ALL; - Clt_SSL_Options = SSL_OP_ALL + Clt_SSL_Options = SSL_OP_ALL & ~SSL_OP_TLSEXT_PADDING #ifdef SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv2 #endif %%% Cheers,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54FFEB49.5030706>