The change of default has been committed to HEAD and will be MFC'ed in the next
day or two. Likewise, UPDATING from HEAD has been updated with:
20150615:
The fix for the issue described in the 20150614 sendmail entry
below has been been committed in revision 284436. The work
around described in that entry is no longer needed unless the
default setting is overridden by a confDH_PARAMETERS configuration
setting of '5' or pointing to a 512 bit DH parameter file.
On Mon, Jun 15, 2015 at 08:22:24AM -0400, Frank Seltzer wrote:
> On Sun, 14 Jun 2015, Gregory Shapiro wrote:
>
> >>I created it per your instructions. See above about it not existing
> >>previously.
> >
> >Oh, sorry for the confusion. Seems an emergency patch is in order to change
> >the default.
> >
> >Would you be willing to test this patch (apply, build, install, remove
> >dh.params file, and restart)?
> >
> >The patch changes the client and server default to 2048 (previous 512 and
> >1024) to help mitigate LogJam/WeakDH.
> >
> >Index: src/tls.c
> >===================================================================
> >--- src/tls.c (revision 284402)
> >+++ src/tls.c (working copy)
> >@@ -676,8 +676,8 @@
> > }
> > if (dhparam == NULL)
> > {
> >- dhparam = srv ? "1" : "5";
> >- req |= (srv ? TLS_I_DH1024 : TLS_I_DH512);
> >+ dhparam = "2";
> >+ req |= TLS_I_DH2048;
> > }
> > else if (*dhparam == '/')
> > {
>
> Do you mean just build and install sendmail or world and kernel? I can do
> world and kernel if you want me to, it only takes about 2 hours to build
> world and 20 minutes to build the kernel so it's no big deal. I'll need
> instruction on how to patch the file though, I've never done it before.
>
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
