From owner-freebsd-stable@FreeBSD.ORG  Mon Jun 15 03:24:08 2015
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id F048BD88
 for <freebsd-stable@hub.freebsd.org>; Mon, 15 Jun 2015 03:24:08 +0000 (UTC)
 (envelope-from gshapiro@gshapiro.net)
Received: from zim.gshapiro.net (zim.gshapiro.net [IPv6:2001:4f8:3:36::224])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "smtp.gshapiro.net", Issuer "Certificate Authority" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id D601BF5D
 for <freebsd-stable@freebsd.org>; Mon, 15 Jun 2015 03:24:08 +0000 (UTC)
 (envelope-from gshapiro@gshapiro.net)
Received: from minime.local (mx2.proofpoint.com [208.86.202.10])
 (authenticated bits=0)
 by zim.gshapiro.net (8.15.1.30/8.15.1.30) with ESMTPSA id t5F3O3rZ021826
 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO);
 Sun, 14 Jun 2015 20:24:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=gshapiro.net;
 s=gatsby.dkim; t=1434338647;
 bh=vgpbW2XpIZiAJlLTNbGv8KIONuaqJWPBWxWYzWNTY+8=;
 h=Date:From:To:Cc:Subject:References:In-Reply-To;
 b=ChS+3vw/zj/fJdPpcPB+llVd/pbixsJKVJ2ojurax8zNFaaYuTnnE+4I3A6TSsAzE
 VMPpKw5yb8mgWbbdKHT8YCHqLCgcJi30Sj9DsLLta4lrNsuhLP69VqZTjc9WD9USWt
 DL4G8efItitk4l/ZQgLZ7/4bfm+GDPPzE0e06YQ8=
Date: Sun, 14 Jun 2015 20:23:33 -0700
From: Gregory Shapiro <gshapiro@gshapiro.net>
To: Frank Seltzer <frank_s@bellsouth.net>
Cc: freebsd-stable@freebsd.org
Subject: Re: Sendmail problem after upgrade to r284296
Message-ID: <20150615032333.GE21822@minime.local>
References: <alpine.BSF.2.20.1506141014130.852@Ace.nina.org>
 <20150614165507.GD95564@minime.local>
 <alpine.BSF.2.20.1506141333131.852@Ace.nina.org>
 <20150614180142.GE95564@minime.local>
 <alpine.BSF.2.20.1506141952140.853@Ace.nina.org>
 <20150615013517.GA19755@minime.local>
 <alpine.BSF.2.20.1506142236490.853@Ace.nina.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <alpine.BSF.2.20.1506142236490.853@Ace.nina.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jun 2015 03:24:09 -0000

> I created it per your instructions.  See above about it not existing
> previously.

Oh, sorry for the confusion.  Seems an emergency patch is in order to change the default.

Would you be willing to test this patch (apply, build, install, remove dh.params file, and restart)?

The patch changes the client and server default to 2048 (previous 512 and 1024) to help mitigate LogJam/WeakDH.

Index: src/tls.c
===================================================================
--- src/tls.c	(revision 284402)
+++ src/tls.c	(working copy)
@@ -676,8 +676,8 @@
 		}
 		if (dhparam == NULL)
 		{
-			dhparam = srv ? "1" : "5";
-			req |= (srv ? TLS_I_DH1024 : TLS_I_DH512);
+			dhparam = "2";
+			req |= TLS_I_DH2048;
 		}
 		else if (*dhparam == '/')
 		{