Re: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-15:08.sendmail

Sat, 20 Jun 2015 22:56:51 -0700 

> I'll post a patch here by tomorrow for those willing to assist in testing.

As promised, there are two patches attached to this email, only one of which is 
needed (see below).  This fixes the case where the DHParameters option is set 
to a file which doesn't exist, which is the case on newer versions of FreeBSD 
which enable STARTTLS by default by auto-creating TLS certificates.

The first attachment, new.patch, is just the change since the one committed to 
svn for the errata (i.e., if you have an up to date svn checkout, use this 
one).  The second attachment, full.patch, is the full set of changes needed 
(i.e., the ones from the first errata to tls.c and the new one to sendmail.h 
for the outstanding fix).  You only need one, don't try to apply both.  Since 
the change is to a .h file, be sure to build carefully (either do a make depend 
or a make clean if not using a full buildworld).

If testing, please try before Monday and drop me a note (no need to reply-all) 
letting me know if you were successful or not.


Index: contrib/sendmail/src/sendmail.h
===================================================================
--- contrib/sendmail/src/sendmail.h     (revision 284661)
+++ contrib/sendmail/src/sendmail.h     (working copy)
@@ -1935,7 +1935,7 @@
 
 /* server requirements */
 #define TLS_I_SRV      (TLS_I_SRV_CERT | TLS_I_RSA_TMP | TLS_I_VRFY_PATH | \
-                        TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH512 | \
+                        TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH1024 | \
                         TLS_I_CACHE)
 
 /* client requirements */

Index: contrib/sendmail/src/tls.c
===================================================================
--- contrib/sendmail/src/tls.c  (revision 283856)
+++ contrib/sendmail/src/tls.c  (working copy)
@@ -650,7 +650,7 @@
        **  1024        generate 1024 bit parameters
        **  2048        generate 2048 bit parameters
        **  /file/name  read parameters from /file/name
-       **  default is: 1024 for server, 512 for client (OK? XXX)
+       **  default is: 1024
        */
 
        if (bitset(TLS_I_TRY_DH, req))
@@ -676,8 +676,8 @@
                }
                if (dhparam == NULL)
                {
-                       dhparam = srv ? "1" : "5";
-                       req |= (srv ? TLS_I_DH1024 : TLS_I_DH512);
+                       dhparam = "1";
+                       req |= TLS_I_DH1024;
                }
                else if (*dhparam == '/')
                {
Index: contrib/sendmail/src/sendmail.h
===================================================================
--- contrib/sendmail/src/sendmail.h     (revision 283856)
+++ contrib/sendmail/src/sendmail.h     (working copy)
@@ -1935,7 +1935,7 @@
 
 /* server requirements */
 #define TLS_I_SRV      (TLS_I_SRV_CERT | TLS_I_RSA_TMP | TLS_I_VRFY_PATH | \
-                        TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH512 | \
+                        TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH1024 | \
                         TLS_I_CACHE)
 
 /* client requirements */

_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Reply via email to