Nevermind - I mistype the define - it works.
Thanks again,
-John
On Thu, Sep 12, 2013 at 5:10 PM, John Hynes <jephy...@gmail.com> wrote:
> After applying the patch, and recompiling with SSL_OP_NO_TLSv1_2, sendmail
> still gives the same error, although the -no-tls1_2 option gets the test to
> work.
>
> Are there other defines I need perhaps?
>
> -John
>
>
>
> On Thu, Sep 12, 2013 at 3:54 PM, Claus Assmann
> <ca+openbsd_m...@esmtp.org>wrote:
>
>> On Thu, Sep 12, 2013, John Hynes wrote:
>>
>> > openssl s_client -starttls smtp -connect mail.dean.edu:25
>> >
>> > ...from any of my OpenBSD 5.3 hosts, I get the same response:
>>
>> > CONNECTED(00000003)
>> > 12556912661392:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
>> > failure:/usr/src/lib/libssl/ssl/../src/ssl/s23_lib.c:177:
>>
>> Add -no_tls1_2 to your call.
>>
>> If that works, add some options to sendmail to make SSL_OP_NO_TLSv1_2
>> available:
>>
>> diff -ru sendmail-8.14.7/sendmail/readcf.c
>> sendmail-8.14.7-new/sendmail/readcf.c
>> --- sendmail-8.14.7/sendmail/readcf.c 2013-03-15 17:54:12.000000000
>> +0000
>> +++ sendmail-8.14.7-new/sendmail/readcf.c 2013-06-24
>> 14:26:01.000000000 +0100
>> @@ -2303,13 +2303,16 @@
>> long sslopt_bits; /* bits to set/clear */
>> } SSL_Option[] =
>> {
>> -/* these are turned on by default */
>> +/* Bugs (and some others) are turned on by default */
>> #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
>> { "SSL_OP_MICROSOFT_SESS_ID_BUG",
>> SSL_OP_MICROSOFT_SESS_ID_BUG },
>> #endif
>> #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
>> { "SSL_OP_NETSCAPE_CHALLENGE_BUG",
>> SSL_OP_NETSCAPE_CHALLENGE_BUG },
>> #endif
>> +#ifdef SSL_OP_LEGACY_SERVER_CONNECT
>> + { "SSL_OP_LEGACY_SERVER_CONNECT",
>> SSL_OP_LEGACY_SERVER_CONNECT },
>> +#endif
>> #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
>> { "SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG",
>> SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
>> #endif
>> @@ -2346,9 +2349,18 @@
>> #ifdef SSL_OP_NO_TICKET
>> { "SSL_OP_NO_TICKET", SSL_OP_NO_TICKET },
>> #endif
>> +#ifdef SSL_OP_CISCO_ANYCONNECT
>> + { "SSL_OP_CISCO_ANYCONNECT", SSL_OP_CISCO_ANYCONNECT },
>> +#endif
>> #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
>> { "SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION",
>> SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
>> #endif
>> +#ifdef SSL_OP_NO_COMPRESSION
>> + { "SSL_OP_NO_COMPRESSION", SSL_OP_NO_COMPRESSION },
>> +#endif
>> +#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
>> + { "SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION",
>> SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
>> +#endif
>> #ifdef SSL_OP_SINGLE_ECDH_USE
>> { "SSL_OP_SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE },
>> #endif
>> @@ -2373,6 +2385,12 @@
>> #ifdef SSL_OP_NO_TLSv1
>> { "SSL_OP_NO_TLSv1", SSL_OP_NO_TLSv1 },
>> #endif
>> +#ifdef SSL_OP_NO_TLSv1_2
>> + { "SSL_OP_NO_TLSv1_2", SSL_OP_NO_TLSv1_2 },
>> +#endif
>> +#ifdef SSL_OP_NO_TLSv1_1
>> + { "SSL_OP_NO_TLSv1_1", SSL_OP_NO_TLSv1_1 },
>> +#endif
>> #ifdef SSL_OP_PKCS1_CHECK_1
>> { "SSL_OP_PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1 },
>> #endif
>> @@ -2385,6 +2403,9 @@
>> #ifdef SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
>> { "SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG",
>> SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG },
>> #endif
>> +#ifdef SSL_OP_CRYPTOPRO_TLSEXT_BUG
>> + { "SSL_OP_CRYPTOPRO_TLSEXT_BUG",
>> SSL_OP_CRYPTOPRO_TLSEXT_BUG },
>> +#endif
>> { NULL, 0 }
>> };
>> #endif /* STARTTLS && _FFR_TLS_1 */
