From owner-svn-src-all@FreeBSD.ORG Tue Jun 23 04:33:54 2015 Return-Path: Delivered-To: svn-src-all@nevdull.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E3F16577; Tue, 23 Jun 2015 04:33:54 +0000 (UTC) (envelope-from gshapiro@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D1DF0BB1; Tue, 23 Jun 2015 04:33:54 +0000 (UTC) (envelope-from gshapiro@FreeBSD.org) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t5N4XsvW069901; Tue, 23 Jun 2015 04:33:54 GMT (envelope-from gshapiro@FreeBSD.org) Received: (from gshapiro@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t5N4XsPX069900; Tue, 23 Jun 2015 04:33:54 GMT (envelope-from gshapiro@FreeBSD.org) Message-Id: <201506230433.t5N4XsPX069900@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: gshapiro set sender to gshapiro@FreeBSD.org using -f From: Gregory Neil Shapiro Date: Tue, 23 Jun 2015 04:33:54 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r284717 - head/contrib/sendmail/src X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jun 2015 04:33:55 -0000 Author: gshapiro Date: Tue Jun 23 04:33:54 2015 New Revision: 284717 URL: https://svnweb.freebsd.org/changeset/base/284717 Log: An additional fix for the openssl Weak DH remediation: The import of openssl to address the FreeBSD-SA-15:10.openssl security advisory includes a change which rejects handshakes with DH parameters below 768 bits. sendmail releases prior to 8.15.2 (not yet released), defaulted to a 512 bit DH parameter setting for client connections. The first fix committed last week changed the default to 1024 bits. This commit fixes the case where the DHParameters option is set to a file which doesn't exist, which is the case on newer versions of FreeBSD which enable STARTTLS by default by auto-creating TLS certificates. MFC after: 2 days Modified: head/contrib/sendmail/src/sendmail.h Modified: head/contrib/sendmail/src/sendmail.h ============================================================================== --- head/contrib/sendmail/src/sendmail.h Tue Jun 23 04:17:12 2015 (r284716) +++ head/contrib/sendmail/src/sendmail.h Tue Jun 23 04:33:54 2015 (r284717) @@ -1935,7 +1935,7 @@ struct termescape /* server requirements */ #define TLS_I_SRV (TLS_I_SRV_CERT | TLS_I_RSA_TMP | TLS_I_VRFY_PATH | \ - TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH512 | \ + TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH1024 | \ TLS_I_CACHE) /* client requirements */