Site Navigation

Date:      Tue, 16 Jun 2015 02:58:50 +0000 (UTC)
From:      Gregory Neil Shapiro <gshapiro@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r284436 - head/contrib/sendmail/src
Message-ID:  <201506160258.t5G2wo3a055792@svn.freebsd.org>

---

next in thread | raw e-mail | index | archive | help

---

Author: gshapiro
Date: Tue Jun 16 02:58:50 2015
New Revision: 284436
URL: https://svnweb.freebsd.org/changeset/base/284436

Log:
  The import of openssl to address the FreeBSD-SA-15:10.openssl security
  advisory includes a change which rejects handshakes with DH parameters
  below 768 bits.  sendmail releases prior to 8.15.2 (not yet released),
  defaulted to a 512 bit DH parameter setting for client connections.
  This commit chages that default to 1024 bits.  sendmail 8.15.2, when
  released well use a default of 2048 bits.
  
  MFC after:	1 day

Modified:
  head/contrib/sendmail/src/tls.c

Modified: head/contrib/sendmail/src/tls.c
==============================================================================
--- head/contrib/sendmail/src/tls.c	Tue Jun 16 02:31:11 2015	(r284435)
+++ head/contrib/sendmail/src/tls.c	Tue Jun 16 02:58:50 2015	(r284436)
@@ -650,7 +650,7 @@ inittls(ctx, req, options, srv, certfile
 	**  1024	generate 1024 bit parameters
 	**  2048	generate 2048 bit parameters
 	**  /file/name	read parameters from /file/name
-	**  default is: 1024 for server, 512 for client (OK? XXX)
+	**  default is: 1024
 	*/
 
 	if (bitset(TLS_I_TRY_DH, req))
@@ -676,8 +676,8 @@ inittls(ctx, req, options, srv, certfile
 		}
 		if (dhparam == NULL)
 		{
-			dhparam = srv ? "1" : "5";
-			req |= (srv ? TLS_I_DH1024 : TLS_I_DH512);
+			dhparam = "1";
+			req |= TLS_I_DH1024;
 		}
 		else if (*dhparam == '/')
 		{

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201506160258.t5G2wo3a055792>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact