svn commit: r284788 - stable/9/contrib/sendmail/src

Gregory Neil Shapiro gshapiro at FreeBSD.org
Thu Jun 25 01:53:46 UTC 2015


Author: gshapiro
Date: Thu Jun 25 01:53:45 2015
New Revision: 284788
URL: https://svnweb.freebsd.org/changeset/base/284788

Log:
  MFC: An additional fix for the openssl Weak DH remediation:
  
       The import of openssl to address the FreeBSD-SA-15:10.openssl security
       advisory includes a change which rejects handshakes with DH parameters
       below 768 bits.  sendmail releases prior to 8.15.2 (not yet released),
       defaulted to a 512 bit DH parameter setting for client connections.
  
       The first fix committed last week changed the default to 1024 bits.
  
       This commit fixes the case where the DHParameters option is set to a
       file which doesn't exist, which is the case on newer versions of
       FreeBSD which enable STARTTLS by default by auto-creating TLS
       certificates.

Modified:
  stable/9/contrib/sendmail/src/sendmail.h
Directory Properties:
  stable/9/contrib/sendmail/   (props changed)

Modified: stable/9/contrib/sendmail/src/sendmail.h
==============================================================================
--- stable/9/contrib/sendmail/src/sendmail.h	Thu Jun 25 01:51:14 2015	(r284787)
+++ stable/9/contrib/sendmail/src/sendmail.h	Thu Jun 25 01:53:45 2015	(r284788)
@@ -1935,7 +1935,7 @@ struct termescape
 
 /* server requirements */
 #define TLS_I_SRV	(TLS_I_SRV_CERT | TLS_I_RSA_TMP | TLS_I_VRFY_PATH | \
-			 TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH512 | \
+			 TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH1024 | \
 			 TLS_I_CACHE)
 
 /* client requirements */


More information about the svn-src-stable-9 mailing list