Date: Wed, 11 Mar 2015 01:03:18 -0700 From: Philip Guenther <pguenther@proofpoint.com> To: Julian Elischer <julian@freebsd.org> Cc: current@freebsd.com, freebsd security <freebsd-security@freebsd.org>, Claus Assmann <cassmann@proofpoint.com>, Gregory Shapiro <gshapiro@gshapiro.net> Subject: Re: sendmail broken by libssl in current Message-ID: <alpine.BSO.2.20.1503110042030.28688@morgaine.local> In-Reply-To: <54FFE774.50103@freebsd.org> References: <54FFE774.50103@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[Forwarded from Greg, before he had to go offline] On Tue, 10 Mar 2015, Julian Elischer wrote: > libssl has a new "feature" > implemented by: > crypto/openssl/ssl/t1_lib.c > > 672 /* Add padding to workaround bugs in F5 terminators. > 673 * See https://tools.ietf.org/html/draft-agl-tls-padding-03 > 674 * > 675 * NB: because this code works out the length of all existing > 676 * extensions it MUST always appear last. > 677 */ > 678 //if (s->options & SSL_OP_TLSEXT_PADDING) > > unfortunatly this makes sendmail incompatible with various email servers > around the world, including (apparently (ironically (*))) Ironport email > gateways. It fails in TLS handshake. ... > I had to make the following "fix" to libssl to get sendmail to be able > to get my tax forms out. This wonderful change (cough) to include SSL_OP_TLSEXT_PADDING in SSL_OP_ALL was addressed in sendmail 8.15.1, which explicitly removes SSL_OP_TLSEXT_PADDING from the default ClientSSLOptions value if that #define exists. I believe Greg is working on importing that to FreeBSD. Pending that, simply copy the relevant code from the 8.15.1's readcf.c:readcf(), which has this: #if STARTTLS Srv_SSL_Options = SSL_OP_ALL; Clt_SSL_Options = SSL_OP_ALL # ifdef SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv2 # endif # ifdef SSL_OP_NO_TICKET | SSL_OP_NO_TICKET # endif ; # ifdef SSL_OP_TLSEXT_PADDING /* SSL_OP_TLSEXT_PADDING breaks compatibility with some sites */ Srv_SSL_Options &= ~SSL_OP_TLSEXT_PADDING; Clt_SSL_Options &= ~SSL_OP_TLSEXT_PADDING; # endif /* SSL_OP_TLSEXT_PADDING */ #endif /* STARTTLS */ You'll just need to add the #ifdef SSL_OP_TLSEXT_PADDING block. If the default is overriden by explicitly setting the ClientSSLOptions option in then config, then you may need to explicitly remove it there as well, such as seen in the implicit default: O ClientSSLOptions=SSL_OP_ALL SSL_OP_NO_SSLv2 SSL_OP_NO_TICKET -SSL_OP_TLSEXT_PADDING This option and default is documented in op.me in the source distribution. Philip Guenther Proofpoint Engineering
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSO.2.20.1503110042030.28688>