On Sun, 14 Jun 2015, Gregory Shapiro wrote:
The new OpenSSL eliminated small DHParam support. That leaves two
possibilities:
1. The remote side you are talking to is using a small value. The best thing
to do would be to eliminate the DH ciphers from your settings. See the docs
for the CipherList setting.
Both machines are on my home network. Both have default settings.
2. Your side is using a small value. Double check your setting:
grep DHParam /etc/mail/sendmail.cf
# DHParameters (only required if DSA/DH is used)
#O DHParameters
# DHParameters (only required if DSA/DH is used)
O DHParameters=/etc/mail/certs/dh.param
# DHParameters (only required if DSA/DH is used)
O DHParameters=/etc/mail/certs/dh.param
Again, default values, no changes to the installed files made.
If that is set to '5' (or a string beginning with 5) or a filename which was
created with a 512 bit DHParam, change it to '2' (2048) or a newly created file
using 'openssl dhparam -out /path/to/file 2048'. In your
/etc/mail/`hostname`.mc file, this setting will show as confDH_PARAMETERS.
Also note that the first version of the openssl fix including an ABI issue and
a new version was released. Make sure you are using the latest version.
root@Shop:/etc/mail/certs # openssl version
OpenSSL 1.0.1n-freebsd 11 Jun 2015
root@Shop:/etc/mail/certs # svnlite info /usr/src/
Path: /usr/src
Working Copy Root Path: /usr/src
URL: svn://ace/src/stable/10
Relative URL: ^/stable/10
Repository Root: svn://ace/src
Repository UUID: ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
Revision: 284296
Node Kind: directory
Schedule: normal
Last Changed Author: jkim
Last Changed Rev: 284285
Last Changed Date: 2015-06-11 15:07:45 -0400 (Thu, 11 Jun 2015)
oot@Ace:/usr/ports # openssl version
OpenSSL 1.0.1n-freebsd 11 Jun 2015
root@Ace:/usr/ports # svnlite info /usr/src/
Path: /usr/src
Working Copy Root Path: /usr/src
URL: svn://ace/src/stable/10
Relative URL: ^/stable/10
Repository Root: svn://ace/src
Repository UUID: ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
Revision: 284296
Node Kind: directory
Schedule: normal
Last Changed Author: jkim
Last Changed Rev: 284285
Last Changed Date: 2015-06-11 15:07:45 -0400 (Thu, 11 Jun 2015)
Has anything changed since then? Does this revision have the openssl
changes?
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "[email protected]"
