On Sun, 14 Jun 2015, Gregory Shapiro wrote:>> After the update I got your email and followed your instructions, except for >> moving dh.param because it didn't exist, and sendmail is happy now. > > Happy to hear sendmail is happy. > >> I checked and there is still no mention of this in /usr/src/UPDATING so my >> question is, when and how is dh.param supposed to be created? Since I'm not >> the only one with this problem it doesn't seem to be something I did or >> didn't do. What could have caused dh.param to not be generated? > > That is a good question. If you didn't create it, I don't know what did -- it's not part of the base build (checked on a newly installed snapshot). Are you sure you didn't create it at some point? Not even the mail/sendmail port creates it.I created it per your instructions. See above about it not existing previously.
> I created it per your instructions. See above about it not existing > previously.Oh, sorry for the confusion. Seems an emergency patch is in order to change the default. Would you be willing to test this patch (apply, build, install, remove dh.params file, and restart)? The patch changes the client and server default to 2048 (previous 512 and 1024) to help mitigate LogJam/WeakDH. Index: src/tls.c ==================================================================--- src/tls.c (revision 284402) +++ src/tls.c (working copy) @@ -676,8 +676,8 @@ } if (dhparam == NULL) { - dhparam = srv ? "1" : "5"; - req |= (srv ? TLS_I_DH1024 : TLS_I_DH512); + dhparam = "2"; + req |= TLS_I_DH2048; } else if (*dhparam == '/') {