From owner-freebsd-security@FreeBSD.ORG  Wed Mar 11 14:28:04 2015
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 8DDD4D23
 for <freebsd-security@freebsd.org>; Wed, 11 Mar 2015 14:28:04 +0000 (UTC)
Received: from proper.com (Opus1.Proper.COM [207.182.41.91])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 697A0372
 for <freebsd-security@freebsd.org>; Wed, 11 Mar 2015 14:28:04 +0000 (UTC)
Received: from [10.20.30.101] (50-1-99-2.dsl.dynamic.fusionbroadband.com
 [50.1.99.2]) (authenticated bits=0)
 by proper.com (8.15.1/8.14.9) with ESMTPSA id t2BERw5S011505
 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
 Wed, 11 Mar 2015 07:27:59 -0700 (MST)
 (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: proper.com: Host
 50-1-99-2.dsl.dynamic.fusionbroadband.com [50.1.99.2] claimed to be
 [10.20.30.101]
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
Subject: Re: sendmail broken by libssl in current
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <54FFE774.50103@freebsd.org>
Date: Wed, 11 Mar 2015 07:27:58 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <6BD2AE7F-8EC5-4EBC-A183-E03EC54456BC@vpnc.org>
References: <54FFE774.50103@freebsd.org>
To: freebsd security <freebsd-security@freebsd.org>
X-Mailer: Apple Mail (2.2070.6)
X-Mailman-Approved-At: Wed, 11 Mar 2015 14:34:54 +0000
Cc: current@freebsd.com
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2015 14:28:04 -0000

On Mar 10, 2015, at 11:57 PM, Julian Elischer <julian@freebsd.org> =
wrote:
> unfortunatly this makes sendmail incompatible with various email =
servers around the world,
> including (apparently (ironically (*))) Ironport email gateways.
> It fails in TLS handshake.

Can you say which email servers *other* than unpatched Ironport fail? =
I've only seen it with unpatched Ironport on my (somewhat active) =
FreeBSD-based mail server. FWIW, I only see these bounces in my mail =
queue for exactly two sites.

Cisco has known about this for many months; see =
<https://tools.cisco.com/quickview/bug/CSCuo25276>. I have been told by =
an Ironport user that there is already a patch that is available from =
Cisco. If that's true (I can't confirm), why would we want to do a patch =
to our core crypto?

--Paul Hoffman=