Thanks Claus - the option did work, so I'll go with the patch.
-John
On Thu, Sep 12, 2013 at 3:54 PM, Claus Assmann <ca+openbsd_m...@esmtp.org>wrote:
> On Thu, Sep 12, 2013, John Hynes wrote:
>
> > openssl s_client -starttls smtp -connect mail.dean.edu:25
> >
> > ...from any of my OpenBSD 5.3 hosts, I get the same response:
>
> > CONNECTED(00000003)
> > 12556912661392:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> > failure:/usr/src/lib/libssl/ssl/../src/ssl/s23_lib.c:177:
>
> Add -no_tls1_2 to your call.
>
> If that works, add some options to sendmail to make SSL_OP_NO_TLSv1_2
> available:
>
> diff -ru sendmail-8.14.7/sendmail/readcf.c
> sendmail-8.14.7-new/sendmail/readcf.c
> --- sendmail-8.14.7/sendmail/readcf.c 2013-03-15 17:54:12.000000000 +0000
> +++ sendmail-8.14.7-new/sendmail/readcf.c 2013-06-24
> 14:26:01.000000000 +0100
> @@ -2303,13 +2303,16 @@
> long sslopt_bits; /* bits to set/clear */
> } SSL_Option[] =
> {
> -/* these are turned on by default */
> +/* Bugs (and some others) are turned on by default */
> #ifdef SSL_OP_MICROSOFT_SESS_ID_BUG
> { "SSL_OP_MICROSOFT_SESS_ID_BUG",
> SSL_OP_MICROSOFT_SESS_ID_BUG },
> #endif
> #ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG
> { "SSL_OP_NETSCAPE_CHALLENGE_BUG",
> SSL_OP_NETSCAPE_CHALLENGE_BUG },
> #endif
> +#ifdef SSL_OP_LEGACY_SERVER_CONNECT
> + { "SSL_OP_LEGACY_SERVER_CONNECT",
> SSL_OP_LEGACY_SERVER_CONNECT },
> +#endif
> #ifdef SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
> { "SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG",
> SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG },
> #endif
> @@ -2346,9 +2349,18 @@
> #ifdef SSL_OP_NO_TICKET
> { "SSL_OP_NO_TICKET", SSL_OP_NO_TICKET },
> #endif
> +#ifdef SSL_OP_CISCO_ANYCONNECT
> + { "SSL_OP_CISCO_ANYCONNECT", SSL_OP_CISCO_ANYCONNECT },
> +#endif
> #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
> { "SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION",
> SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
> #endif
> +#ifdef SSL_OP_NO_COMPRESSION
> + { "SSL_OP_NO_COMPRESSION", SSL_OP_NO_COMPRESSION },
> +#endif
> +#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
> + { "SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION",
> SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
> +#endif
> #ifdef SSL_OP_SINGLE_ECDH_USE
> { "SSL_OP_SINGLE_ECDH_USE", SSL_OP_SINGLE_ECDH_USE },
> #endif
> @@ -2373,6 +2385,12 @@
> #ifdef SSL_OP_NO_TLSv1
> { "SSL_OP_NO_TLSv1", SSL_OP_NO_TLSv1 },
> #endif
> +#ifdef SSL_OP_NO_TLSv1_2
> + { "SSL_OP_NO_TLSv1_2", SSL_OP_NO_TLSv1_2 },
> +#endif
> +#ifdef SSL_OP_NO_TLSv1_1
> + { "SSL_OP_NO_TLSv1_1", SSL_OP_NO_TLSv1_1 },
> +#endif
> #ifdef SSL_OP_PKCS1_CHECK_1
> { "SSL_OP_PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1 },
> #endif
> @@ -2385,6 +2403,9 @@
> #ifdef SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
> { "SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG",
> SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG },
> #endif
> +#ifdef SSL_OP_CRYPTOPRO_TLSEXT_BUG
> + { "SSL_OP_CRYPTOPRO_TLSEXT_BUG",
> SSL_OP_CRYPTOPRO_TLSEXT_BUG },
> +#endif
> { NULL, 0 }
> };
> #endif /* STARTTLS && _FFR_TLS_1 */
