sendmail broken by libssl in current
Julian Elischer
julian at freebsd.org
Wed Mar 11 07:59:21 UTC 2015
On 3/11/15 12:14 AM, Xin Li wrote:
>
> On 3/10/15 23:57, Julian Elischer wrote:
>> [sorry for reposting but the original copy I got back had been truncated]
>>
>> libssl has a new "feature"
>> implemented by:
>> crypto/openssl/ssl/t1_lib.c
>>
>> 672 /* Add padding to workaround bugs in F5 terminators.
>> 673 * See https://tools.ietf.org/html/draft-agl-tls-padding-03
>> 674 *
>> 675 * NB: because this code works out the length of all
>> existing
>> 676 * extensions it MUST always appear last.
>> 677 */
>> 678 //if (s->options & SSL_OP_TLSEXT_PADDING)
>>
>> unfortunatly this makes sendmail incompatible with various email servers
>> around the world,
>> including (apparently (ironically (*))) Ironport email gateways.
>> It fails in TLS handshake.
> I hate workarounds of workarounds :(
>
> How about this?
>
> %%%
> Index: contrib/sendmail/src/readcf.c
> ===================================================================
> --- contrib/sendmail/src/readcf.c (revision 279857)
> +++ contrib/sendmail/src/readcf.c (working copy)
> @@ -116,7 +116,7 @@ readcf(cfname, safe, e)
>
> #if STARTTLS
> Srv_SSL_Options = SSL_OP_ALL;
> - Clt_SSL_Options = SSL_OP_ALL
> + Clt_SSL_Options = SSL_OP_ALL & ~SSL_OP_TLSEXT_PADDING
> #ifdef SSL_OP_NO_SSLv2
> | SSL_OP_NO_SSLv2
> #endif
> %%%
that's certainly better.. MY change was to just prove where the
problem was after reading a bit on the web.
The trouble is that that may break mail servers behind F5 appliances.
One wonders if one could only turn it off for every second attempt on
a retry after a failed attempt.
or some other way of not breaking the F5 appliances...
I found I could not talk to my child's school (department of
education) and my bank, over a period of just a week..
I will look to see if I start picking up new failures now (and see how
many F5 appliances there are :-).
> Cheers,
>
More information about the freebsd-security
mailing list