From d815a37dda60233738e9d7876f9e24fe89181c9e Mon Sep 17 00:00:00 2001 From: Gregory Neil Shapiro Date: Tue, 16 Jun 2015 02:58:50 +0000 Subject: [PATCH] The import of openssl to address the FreeBSD-SA-15:10.openssl security advisory includes a change which rejects handshakes with DH parameters below 768 bits. sendmail releases prior to 8.15.2 (not yet released), defaulted to a 512 bit DH parameter setting for client connections. This commit chages that default to 1024 bits. sendmail 8.15.2, when released well use a default of 2048 bits. MFC after: 1 day --- contrib/sendmail/src/tls.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/contrib/sendmail/src/tls.c b/contrib/sendmail/src/tls.c index 75207ee4a1f0..ca93ee8b730f 100644 --- a/contrib/sendmail/src/tls.c +++ b/contrib/sendmail/src/tls.c @@ -650,7 +650,7 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar ** 1024 generate 1024 bit parameters ** 2048 generate 2048 bit parameters ** /file/name read parameters from /file/name - ** default is: 1024 for server, 512 for client (OK? XXX) + ** default is: 1024 */ if (bitset(TLS_I_TRY_DH, req)) @@ -676,8 +676,8 @@ inittls(ctx, req, options, srv, certfile, keyfile, cacertpath, cacertfile, dhpar } if (dhparam == NULL) { - dhparam = srv ? "1" : "5"; - req |= (srv ? TLS_I_DH1024 : TLS_I_DH512); + dhparam = "1"; + req |= TLS_I_DH1024; } else if (*dhparam == '/') {