From owner-freebsd-security@FreeBSD.ORG Wed Mar 11 07:14:19 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D9FEF833; Wed, 11 Mar 2015 07:14:19 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id BBF3FC12; Wed, 11 Mar 2015 07:14:19 +0000 (UTC) Received: from Xins-MBP.home.us.delphij.net (c-71-202-112-39.hsd1.ca.comcast.net [71.202.112.39]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id EC638FE60; Wed, 11 Mar 2015 00:14:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1426058059; x=1426072459; bh=WeVUnOHvPgkCklBbTKr4QT+1cswb7UOrBXjPATsOpiI=; h=Date:From:To:CC:Subject:References:In-Reply-To; b=TNvvtx0NcCo9hI7P1pC89pqbP2/1D7w7tV2A5JJd1TmwOXQXgJOonFG5qMdXvLWB7 /QhJ+6sMQEjln/9VSFP+JadZTailxMAKODdQNcWI6rXJufRlNDEXmhy94/rPFkg64o yN4BvMjuG4oLQ/DcKaQRZeUdeaUc6z6yJ+aBKvA0= Message-ID: <54FFEB49.5030706@delphij.net> Date: Wed, 11 Mar 2015 00:14:17 -0700 From: Xin Li User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: Julian Elischer , freebsd security , current@freebsd.com Subject: Re: sendmail broken by libssl in current References: <54FFE774.50103@freebsd.org> In-Reply-To: <54FFE774.50103@freebsd.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit Cc: Gregory Shapiro X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2015 07:14:19 -0000 On 3/10/15 23:57, Julian Elischer wrote: > [sorry for reposting but the original copy I got back had been truncated] > > libssl has a new "feature" > implemented by: > crypto/openssl/ssl/t1_lib.c > > 672 /* Add padding to workaround bugs in F5 terminators. > 673 * See https://tools.ietf.org/html/draft-agl-tls-padding-03 > 674 * > 675 * NB: because this code works out the length of all > existing > 676 * extensions it MUST always appear last. > 677 */ > 678 //if (s->options & SSL_OP_TLSEXT_PADDING) > > unfortunatly this makes sendmail incompatible with various email servers > around the world, > including (apparently (ironically (*))) Ironport email gateways. > It fails in TLS handshake. I hate workarounds of workarounds :( How about this? %%% Index: contrib/sendmail/src/readcf.c =================================================================== --- contrib/sendmail/src/readcf.c (revision 279857) +++ contrib/sendmail/src/readcf.c (working copy) @@ -116,7 +116,7 @@ readcf(cfname, safe, e) #if STARTTLS Srv_SSL_Options = SSL_OP_ALL; - Clt_SSL_Options = SSL_OP_ALL + Clt_SSL_Options = SSL_OP_ALL & ~SSL_OP_TLSEXT_PADDING #ifdef SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv2 #endif %%% Cheers,