[Forwarded from Greg, before he had to go offline]
On Tue, 10 Mar 2015, Julian Elischer wrote:> libssl has a new "feature"
> implemented by:
> crypto/openssl/ssl/t1_lib.c
>
> 672 /* Add padding to workaround bugs in F5 terminators.
> 673 * See https://tools.ietf.org/html/draft-agl-tls-padding-03
> 674 *
> 675 * NB: because this code works out the length of all
existing
> 676 * extensions it MUST always appear last.
> 677 */
> 678 //if (s->options & SSL_OP_TLSEXT_PADDING)
>
> unfortunatly this makes sendmail incompatible with various email servers
> around the world, including (apparently (ironically (*))) Ironport email
> gateways. It fails in TLS handshake.
...> I had to make the following "fix" to libssl to get sendmail to be
able
> to get my tax forms out.
This wonderful change (cough) to include SSL_OP_TLSEXT_PADDING in
SSL_OP_ALL was addressed in sendmail 8.15.1, which explicitly removes
SSL_OP_TLSEXT_PADDING from the default ClientSSLOptions value if that
#define exists. I believe Greg is working on importing that to FreeBSD.
Pending that, simply copy the relevant code from the 8.15.1's
readcf.c:readcf(), which has this:
#if STARTTLS
Srv_SSL_Options = SSL_OP_ALL;
Clt_SSL_Options = SSL_OP_ALL
# ifdef SSL_OP_NO_SSLv2
| SSL_OP_NO_SSLv2
# endif
# ifdef SSL_OP_NO_TICKET
| SSL_OP_NO_TICKET
# endif
;
# ifdef SSL_OP_TLSEXT_PADDING
/* SSL_OP_TLSEXT_PADDING breaks compatibility with some sites */
Srv_SSL_Options &= ~SSL_OP_TLSEXT_PADDING;
Clt_SSL_Options &= ~SSL_OP_TLSEXT_PADDING;
# endif /* SSL_OP_TLSEXT_PADDING */
#endif /* STARTTLS */
You'll just need to add the #ifdef SSL_OP_TLSEXT_PADDING block.
If the default is overriden by explicitly setting the ClientSSLOptions
option in then config, then you may need to explicitly remove it there as
well, such as seen in the implicit default:
O ClientSSLOptions=SSL_OP_ALL SSL_OP_NO_SSLv2 SSL_OP_NO_TICKET
-SSL_OP_TLSEXT_PADDING
This option and default is documented in op.me in the source distribution.
Philip Guenther
Proofpoint Engineering