On Sun, 14 Jun 2015, Gregory Shapiro wrote:
> The new OpenSSL eliminated small DHParam support. That leaves two
possibilities:
>
> 1. The remote side you are talking to is using a small value. The best
thing to do would be to eliminate the DH ciphers from your settings. See the
docs for the CipherList setting.
Both machines are on my home network. Both have default settings.
> 2. Your side is using a small value. Double check your setting:
>
>> grep DHParam /etc/mail/sendmail.cf
> # DHParameters (only required if DSA/DH is used)
> #O DHParameters
# DHParameters (only required if DSA/DH is used)
O DHParameters=/etc/mail/certs/dh.param
# DHParameters (only required if DSA/DH is used)
O DHParameters=/etc/mail/certs/dh.param
Again, default values, no changes to the installed files made.
> If that is set to '5' (or a string beginning with 5) or a filename
which was created with a 512 bit DHParam, change it to '2' (2048) or a
newly created file using 'openssl dhparam -out /path/to/file 2048'. In
your /etc/mail/`hostname`.mc file, this setting will show as confDH_PARAMETERS.
>
> Also note that the first version of the openssl fix including an ABI issue
and a new version was released. Make sure you are using the latest version.
root at Shop:/etc/mail/certs # openssl version
OpenSSL 1.0.1n-freebsd 11 Jun 2015
root at Shop:/etc/mail/certs # svnlite info /usr/src/
Path: /usr/src
Working Copy Root Path: /usr/src
URL: svn://ace/src/stable/10
Relative URL: ^/stable/10
Repository Root: svn://ace/src
Repository UUID: ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
Revision: 284296
Node Kind: directory
Schedule: normal
Last Changed Author: jkim
Last Changed Rev: 284285
Last Changed Date: 2015-06-11 15:07:45 -0400 (Thu, 11 Jun 2015)
oot at Ace:/usr/ports # openssl version
OpenSSL 1.0.1n-freebsd 11 Jun 2015
root at Ace:/usr/ports # svnlite info /usr/src/
Path: /usr/src
Working Copy Root Path: /usr/src
URL: svn://ace/src/stable/10
Relative URL: ^/stable/10
Repository Root: svn://ace/src
Repository UUID: ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
Revision: 284296
Node Kind: directory
Schedule: normal
Last Changed Author: jkim
Last Changed Rev: 284285
Last Changed Date: 2015-06-11 15:07:45 -0400 (Thu, 11 Jun 2015)
Has anything changed since then? Does this revision have the openssl
changes?