I've made the change in HEAD to turn off SSL padding (see attached mail
message). Julian, can you test to see if it addresses the issue before I MFC?
--- Begin Message ---
Author: gshapiro
Date: Mon Mar 16 20:24:37 2015
New Revision: 280155
URL: https://svnweb.freebsd.org/changeset/base/280155
Log:
Default to turning off OpenSSL SSL_OP_TLSEXT_PADDING as it breaks
compatibility with some sites
This change comes from 8.15 but is being backported to FreeBSD releases
not yet using 8.15.
MFC after: 3 days
Noted by: julian@
Modified:
head/contrib/sendmail/src/readcf.c
Modified: head/contrib/sendmail/src/readcf.c
==============================================================================
--- head/contrib/sendmail/src/readcf.c Mon Mar 16 20:13:25 2015
(r280154)
+++ head/contrib/sendmail/src/readcf.c Mon Mar 16 20:24:37 2015
(r280155)
@@ -124,6 +124,11 @@ readcf(cfname, safe, e)
| SSL_OP_NO_TICKET
#endif
;
+# ifdef SSL_OP_TLSEXT_PADDING
+ /* SSL_OP_TLSEXT_PADDING breaks compatibility with some sites */
+ Srv_SSL_Options &= ~SSL_OP_TLSEXT_PADDING;
+ Clt_SSL_Options &= ~SSL_OP_TLSEXT_PADDING;
+# endif /* SSL_OP_TLSEXT_PADDING */
#endif /* STARTTLS */
if (DontLockReadFiles)
sff |= SFF_NOLOCK;
@@ -2406,6 +2411,9 @@ static struct ssl_options
#ifdef SSL_OP_CRYPTOPRO_TLSEXT_BUG
{ "SSL_OP_CRYPTOPRO_TLSEXT_BUG", SSL_OP_CRYPTOPRO_TLSEXT_BUG
},
#endif
+#ifdef SSL_OP_TLSEXT_PADDING
+ { "SSL_OP_TLSEXT_PADDING", SSL_OP_TLSEXT_PADDING },
+#endif
{ NULL, 0 }
};
#endif /* STARTTLS && _FFR_TLS_1 */
--- End Message ---
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
