> Jun 14 00:50:04 Ace sm-msp-queue[79406]: STARTTLS=client, error: connect failed=-1, reason=dh key too small, SSL_error=1, errno=0, retry=-1 > Jun 14 00:50:04 Ace sm-msp-queue[79406]: ruleset=tls_server, arg1=SOFTWARE, relay=[127.0.0.1], reject=403 4.7.0 TLS handshake.The new OpenSSL eliminated small DHParam support. That leaves two possibilities: 1. The remote side you are talking to is using a small value. The best thing to do would be to eliminate the DH ciphers from your settings. See the docs for the CipherList setting. 2. Your side is using a small value. Double check your setting:> grep DHParam /etc/mail/sendmail.cf# DHParameters (only required if DSA/DH is used) #O DHParameters If that is set to '5' (or a string beginning with 5) or a filename which was created with a 512 bit DHParam, change it to '2' (2048) or a newly created file using 'openssl dhparam -out /path/to/file 2048'. In your /etc/mail/`hostname`.mc file, this setting will show as confDH_PARAMETERS. Also note that the first version of the openssl fix including an ABI issue and a new version was released. Make sure you are using the latest version.
On Sun, 14 Jun 2015, Gregory Shapiro wrote:> The new OpenSSL eliminated small DHParam support. That leaves two possibilities: > > 1. The remote side you are talking to is using a small value. The best thing to do would be to eliminate the DH ciphers from your settings. See the docs for the CipherList setting.Both machines are on my home network. Both have default settings.> 2. Your side is using a small value. Double check your setting: > >> grep DHParam /etc/mail/sendmail.cf > # DHParameters (only required if DSA/DH is used) > #O DHParameters# DHParameters (only required if DSA/DH is used) O DHParameters=/etc/mail/certs/dh.param # DHParameters (only required if DSA/DH is used) O DHParameters=/etc/mail/certs/dh.param Again, default values, no changes to the installed files made.> If that is set to '5' (or a string beginning with 5) or a filename which was created with a 512 bit DHParam, change it to '2' (2048) or a newly created file using 'openssl dhparam -out /path/to/file 2048'. In your /etc/mail/`hostname`.mc file, this setting will show as confDH_PARAMETERS. > > Also note that the first version of the openssl fix including an ABI issue and a new version was released. Make sure you are using the latest version.root at Shop:/etc/mail/certs # openssl version OpenSSL 1.0.1n-freebsd 11 Jun 2015 root at Shop:/etc/mail/certs # svnlite info /usr/src/ Path: /usr/src Working Copy Root Path: /usr/src URL: svn://ace/src/stable/10 Relative URL: ^/stable/10 Repository Root: svn://ace/src Repository UUID: ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f Revision: 284296 Node Kind: directory Schedule: normal Last Changed Author: jkim Last Changed Rev: 284285 Last Changed Date: 2015-06-11 15:07:45 -0400 (Thu, 11 Jun 2015) oot at Ace:/usr/ports # openssl version OpenSSL 1.0.1n-freebsd 11 Jun 2015 root at Ace:/usr/ports # svnlite info /usr/src/ Path: /usr/src Working Copy Root Path: /usr/src URL: svn://ace/src/stable/10 Relative URL: ^/stable/10 Repository Root: svn://ace/src Repository UUID: ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f Revision: 284296 Node Kind: directory Schedule: normal Last Changed Author: jkim Last Changed Rev: 284285 Last Changed Date: 2015-06-11 15:07:45 -0400 (Thu, 11 Jun 2015) Has anything changed since then? Does this revision have the openssl changes?