> I created it per your instructions. See above about it not existing > previously.Oh, sorry for the confusion. Seems an emergency patch is in order to change the default. Would you be willing to test this patch (apply, build, install, remove dh.params file, and restart)? The patch changes the client and server default to 2048 (previous 512 and 1024) to help mitigate LogJam/WeakDH. Index: src/tls.c ==================================================================--- src/tls.c (revision 284402) +++ src/tls.c (working copy) @@ -676,8 +676,8 @@ } if (dhparam == NULL) { - dhparam = srv ? "1" : "5"; - req |= (srv ? TLS_I_DH1024 : TLS_I_DH512); + dhparam = "2"; + req |= TLS_I_DH2048; } else if (*dhparam == '/') {
On Sun, Jun 14, 2015 at 08:23:33PM -0700, Gregory Shapiro wrote:> > I created it per your instructions. See above about it not existing > > previously. > > Oh, sorry for the confusion. Seems an emergency patch is in order to change the default.For now, I've add an UPDATING entry: +20150614: + The import of openssl to address the FreeBSD-SA-15:10.openssl + security advisory includes a change which rejects handshakes + with DH parameters below 768 bits. sendmail releases prior + to 8.15.2 (not yet released), defaulted to a 512 bit + DH parameter setting for client connections. To work around + this interoperability, sendmail can be configured to use a + 2048 bit DH parameter by: + + 1. Edit /etc/mail/`hostname`.mc + 2. If a setting for confDH_PARAMETERS does not exist or + exists and is set to a string beginning with '5', + replace it with '2'. + 3. If a setting for confDH_PARAMETERS exists and is set to + a file path, create a new file with: + openssl dhparam -out /path/to/file 2048 + 4. Rebuild the .cf file: + cd /etc/mail/; make; make install + 5. Restart sendmail: + cd /etc/mail/; make restart + + A sendmail patch is coming, at which time this file will be + updated.
On Sun, 14 Jun 2015, Gregory Shapiro wrote:>> I created it per your instructions. See above about it not existing >> previously. > > Oh, sorry for the confusion. Seems an emergency patch is in order to change the default. > > Would you be willing to test this patch (apply, build, install, remove dh.params file, and restart)? > > The patch changes the client and server default to 2048 (previous 512 and 1024) to help mitigate LogJam/WeakDH. > > Index: src/tls.c > ==================================================================> --- src/tls.c (revision 284402) > +++ src/tls.c (working copy) > @@ -676,8 +676,8 @@ > } > if (dhparam == NULL) > { > - dhparam = srv ? "1" : "5"; > - req |= (srv ? TLS_I_DH1024 : TLS_I_DH512); > + dhparam = "2"; > + req |= TLS_I_DH2048; > } > else if (*dhparam == '/') > {Do you mean just build and install sendmail or world and kernel? I can do world and kernel if you want me to, it only takes about 2 hours to build world and 20 minutes to build the kernel so it's no big deal. I'll need instruction on how to patch the file though, I've never done it before.