First, thank you Philip for jumping on this. Much appreciated.> This wonderful change (cough) to include SSL_OP_TLSEXT_PADDING in > SSL_OP_ALL was addressed in sendmail 8.15.1, which explicitly removes > SSL_OP_TLSEXT_PADDING from the default ClientSSLOptions value if that > #define exists. I believe Greg is working on importing that to FreeBSD.sendmail 8.15.1 is imported into the vendor area but not merged due to an incompatible change that is being moved into a run-time configuration variable in 8.15.2. Rather than expose the FreeBSD populate to the churn from that change, I am skipping 8.15.1 and will import 8.15.2. That being said, I can certainly make the local fix that Philip mention to take care of the padding issue. Is the new libssl in 11-CURRENT going to be/already been MFC'ed to other branches?
On Mar 11, 2015, at 9:15 AM, Gregory Shapiro <gshapiro at freebsd.org> wrote:> First, thank you Philip for jumping on this. Much appreciated. > >> This wonderful change (cough) to include SSL_OP_TLSEXT_PADDING in >> SSL_OP_ALL was addressed in sendmail 8.15.1, which explicitly removes >> SSL_OP_TLSEXT_PADDING from the default ClientSSLOptions value if that >> #define exists. I believe Greg is working on importing that to FreeBSD. > > sendmail 8.15.1 is imported into the vendor area but not merged due to an incompatible change that is being moved into a run-time configuration variable in 8.15.2. Rather than expose the FreeBSD populate to the churn from that change, I am skipping 8.15.1 and will import 8.15.2. > > That being said, I can certainly make the local fix that Philip mention to take care of the padding issue. Is the new libssl in 11-CURRENT going to be/already been MFC'ed to other branches?I'm still *really* hesitant for us to be patching OpenSSL for a bug on a middlebox vendor's system that already has a fix. --Paul Hoffman
On 3/11/15 9:15 AM, Gregory Shapiro wrote:> First, thank you Philip for jumping on this. Much appreciated. > >> This wonderful change (cough) to include SSL_OP_TLSEXT_PADDING in >> SSL_OP_ALL was addressed in sendmail 8.15.1, which explicitly removes >> SSL_OP_TLSEXT_PADDING from the default ClientSSLOptions value if that >> #define exists. I believe Greg is working on importing that to FreeBSD. > sendmail 8.15.1 is imported into the vendor area but not merged due to an incompatible change that is being moved into a run-time configuration variable in 8.15.2. Rather than expose the FreeBSD populate to the churn from that change, I am skipping 8.15.1 and will import 8.15.2. > > That being said, I can certainly make the local fix that Philip mention to take care of the padding issue. Is the new libssl in 11-CURRENT going to be/already been MFC'ed to other branches? > > _______________________________________________ > freebsd-security at freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org" > >the change is in libssl1.0.1g and later so, yes it's already in 10