Site Navigation

Date:      Sun, 14 Jun 2015 19:26:00 -0500
From:      Karl Denninger <karl@denninger.net>
To:        freebsd-stable@freebsd.org
Subject:   Re: Sendmail problem after upgrade to r284296
Message-ID:  <557E1B98.6070402@denninger.net>
In-Reply-To: <alpine.BSF.2.20.1506141952140.853@Ace.nina.org>
References:  <alpine.BSF.2.20.1506141014130.852@Ace.nina.org> <20150614165507.GD95564@minime.local> <alpine.BSF.2.20.1506141333131.852@Ace.nina.org> <20150614180142.GE95564@minime.local> <alpine.BSF.2.20.1506141952140.853@Ace.nina.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

[-- Attachment #1 --]
On 6/14/2015 19:21, Frank Seltzer wrote:
> I updated source and rebuilt world and kernel with no change in
> sendmail's behavior.  This is the revision I have now:
>
> root@Ace:/etc/mail/certs # svnlite info /usr/src/
> Path: /usr/src
> Working Copy Root Path: /usr/src
> URL: svn://ace/src/stable/10
> Relative URL: ^/stable/10
> Repository Root: svn://ace/src
> Repository UUID: ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
> Revision: 284384
> Node Kind: directory
> Schedule: normal
> Last Changed Author: kib
> Last Changed Rev: 284375
> Last Changed Date: 2015-06-14 01:12:48 -0400 (Sun, 14 Jun 2015)
>
> root@Ace:/etc/mail/certs # uname -a
> FreeBSD Ace.nina.org 10.1-STABLE FreeBSD 10.1-STABLE #0 r284384: Sun
> Jun 14 16:40:15 EDT 2015    
> frank_s@Ace.nina.org:/usr/obj/usr/src/sys/GENERIC amd64
>
> and openssl:
>
> root@Ace:/etc/mail/certs # openssl version
> OpenSSL 1.0.1o-freebsd 12 Jun 2015
>
> so I'm up to date there as well.
>
>> /etc/rc.d/sendmail stop
>> mv /etc/mail/certs/dh.param{,~old}
>> openssl dhparam -out /etc/mail/certs/dh.param 2048
>> /etc/rc.d/sendmail start
>
> After the update I got your email and followed your instructions,
> except for moving dh.param because it didn't exist, and sendmail is
> happy now.
>
> I checked and there is still no mention of this in /usr/src/UPDATING
> so my question is, when and how is dh.param supposed to be created? 
> Since I'm not the only one with this problem it doesn't seem to be
> something I did or didn't do.  What could have caused dh.param to not
> be generated?
>
> Thanks,
> Frank
>
It only needs to be done once (and now you've done it.)

The reason is a bit obscure but has to do with some vulnerabilities
discovered in DH key negotiation with weak parameter sets.  Most mail
servers do not check literally ANYTHING when it comes to SSL
connections, but this is a VERY poor practice.  That it's being
tightened up is a good thing to a point, but there will be more of this
sort of problem over time (particularly if people start getting uppity
about broken certification chains or private CAs as a whole LOT of email
servers run self-signed or local-CA-issued SSL certificates!)

Are these potentially breakable too?  Yes, with a MITM
(man-in-the-middle) attack -- but that's not the same degree of
vulnerability as the DH key problem, so hopefully the "cranking down of
the screws" will stop before it gets to where it begins to SEVERELY
impact mail exchange.


-- 
Karl Denninger
karl@denninger.net <mailto:karl@denninger.net>
/The Market Ticker/
/[S/MIME encrypted email preferred]/

[-- Attachment #2 --]
0�	*�H��

��0�

10	+0�	*�H��


��_0�[0�C�

)0
	*�H��


0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1"0 	*�H��

	
Cuda Systems LLC CA0
150421022159Z
200419022159Z0Z10	UUS10UFlorida10U
Cuda Systems LLC10UKarl Denninger (OCSP)0�"0
	*�H��



�0�
�
��X�@v�kY�
�T��q/v�E�]��5#�֯�MX����\8��L�J/V?�5���Da�+
��sJ��c�*��/�r�{ȼ�n��S�+�w"�)���ąZ^�Dt��dC�OZ�� ~7��Q ��'��@���a#i�j�c۴oZdB&���!�Ӝ���-�<	�?��H���N���5���y
5�}F�|ef゘��"V��لi��o��7��4���
zn�">����a����1q�Wuɖ�b�F��e�GE�&�3(��K�h����ix�G�3���!��#�e_X�Ƭ����Ϝ/,��$�+�;�4y��'�B�z<qT�9����_?rRU�pn�5
��Jn&R��x/�p J�yel�*�pN�8�/#�9�u����/��YP�E��C)T����Y>��~/˘N[������v��yi���DKˉ�,�^�"� ?�$��T8����v�&�����K�%z��8�C @?�K{�9�f`��+���@,|����M��bia

���0��07+


+0)0'+
0
�http://cudasystems.net:88880	U00	`�H
��B

�0U�0,	`�H
��B

OpenSSL Generated Certificate0U��-��h\F����f ��Y0U#0�$q���}��ݽ�ʒ����m50U0�karl@denninger.net0
	*�H��


�
Ow�b��a�bɺx�&��Uk�[��(O�j��!����%�p��MQ�0I�!#�Q��H��}.>~2���&D}�<�wm_>�V6�v��]�f��>=�N�n�+8;q �wfΰ����/��R�LyU��G#�b�}n�!D����ր_��up�|��_�ǰ��c��/�%ۥ���
�nN8:�d��;�-�UJ��d/�m��1~Vނי���nN I˾$t�F1&}�|?q?�\đ�X��ԑ�&\�4V�<lK������ۮ3%Am_����(��q����-(c����Ae�G�X)f}�-˥6c��v~��K�g�8m~v��;|�9�:-i�A����P��қ�6�ېn�-���.)�<[�$KJ�t�����t/L4�ᖣ�^Cm�u4v�b{+�B�G�$M���0c�\��[M�R�|�0FԸ�����P&7����8�"4p������#���}��DZ�9;V�9�#>�S�w"��[�UP7�1��0��

0��0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1"0 	*�H��

	
Cuda Systems LLC CA
)0	+��!0	*�H��

	1	*�H��


0	*�H��

	1
150615002600Z0#	*�H��

	1Ju���cG���
�
��C0l	*�H��

	1_0]0	`�H
e
*0	`�H
e
0
*�H��
0*�H��
�0
*�H��

@0+0
*�H��

(0��	+

�71��0��0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1"0 	*�H��

	
Cuda Systems LLC CA
)0��*�H��

	1�����0��10	UUS10UFlorida10U	Niceville10U
Cuda Systems LLC10UCuda Systems LLC CA1"0 	*�H��

	
Cuda Systems LLC CA
)0
	*�H��



��.��m����geDq�[��<�0�~����P�`_C&8Fu4���O�Z�ܫ|̛k�/
��4���Z��w��Q�P���P�~L`��(�y�t��ŗk�6�n�7��%{�L�E��ZM_�L-�z<���ʱ��I�ܚW4ѲԀ\��nj;Fƥ� p;3���B�3�]}*�v}���%%{h�������U�`��C�����#=�-��{e�>-���ZW8�h.�6m���V�9gyLJ`��u�t��ژ�&�=�ewx�8	Oy�	hzf
.������[|��!�����d��XqN \�Ɋ�����������'a�qu�F1�x:ӱ��t�+1\K�cZ֞Z�r#�@�`"�ya�&4�:7�a��4��@sϻ�v�4!,�����xVp�VJ����L����+��^��WZk�O��f*~�sە��t��S�Z�5+�8�����2������L4��<�;	�<�k�KO�Y���L��z��`5�y�?��g�>?�v7m�$/

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?557E1B98.6070402>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact