d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

An additional fix for the openssl Weak DH remediation:

Browse Source 
The import of openssl to address the FreeBSD-SA-15:10.openssl security
advisory includes a change which rejects handshakes with DH parameters
below 768 bits.  sendmail releases prior to 8.15.2 (not yet released),
defaulted to a 512 bit DH parameter setting for client connections.

The first fix committed last week changed the default to 1024 bits.

This commit fixes the case where the DHParameters option is set to a
file which doesn't exist, which is the case on newer versions of
FreeBSD which enable STARTTLS by default by auto-creating TLS
certificates.

MFC after:	2 days
This commit is contained in:
gshapiro 2015-06-23 04:33:54 +00:00
parent 2c76978d5a
commit 2fe739732c
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
contrib/sendmail/src/sendmail.h
View File

@ -1935,7 +1935,7 @@ struct termescape
/* server requirements */
#define TLS_I_SRV (TLS_I_SRV_CERT | TLS_I_RSA_TMP | TLS_I_VRFY_PATH | \
TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH512 | \
TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH1024 | \
TLS_I_CACHE)
/* client requirements */