freebsd stable - Jun 2015 - [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-15:08.sendmail

> I'll probably fix this by changing /etc/rc.d/sendmail to do the above.
> 
> I'll also look into the sendmail source behavior when the file
doesn't
> exist (it should revert to it's defaults).
As a quick update, the sendmail open source team have completed a set of changes
to address these issues.  I'll be testing a new change this weekend for a
revised Errata Notice.

I'll post a patch here by tomorrow for those willing to assist in testing.

> I'll post a patch here by tomorrow for those willing to assist in
testing.
As promised, there are two patches attached to this email, only one of which is
needed (see below).  This fixes the case where the DHParameters option is set to
a file which doesn't exist, which is the case on newer versions of FreeBSD
which enable STARTTLS by default by auto-creating TLS certificates.

The first attachment, new.patch, is just the change since the one committed to
svn for the errata (i.e., if you have an up to date svn checkout, use this one).
The second attachment, full.patch, is the full set of changes needed (i.e., the
ones from the first errata to tls.c and the new one to sendmail.h for the
outstanding fix).  You only need one, don't try to apply both.  Since the
change is to a .h file, be sure to build carefully (either do a make depend or a
make clean if not using a full buildworld).

If testing, please try before Monday and drop me a note (no need to reply-all)
letting me know if you were successful or not.

-------------- next part --------------
Index: contrib/sendmail/src/sendmail.h
==================================================================---
contrib/sendmail/src/sendmail.h	(revision 284661)
+++ contrib/sendmail/src/sendmail.h	(working copy)
@@ -1935,7 +1935,7 @@
 
 /* server requirements */
 #define TLS_I_SRV	(TLS_I_SRV_CERT | TLS_I_RSA_TMP | TLS_I_VRFY_PATH | \
-			 TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH512 | \
+			 TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH1024 | \
 			 TLS_I_CACHE)
 
 /* client requirements */
-------------- next part --------------
Index: contrib/sendmail/src/tls.c
==================================================================---
contrib/sendmail/src/tls.c	(revision 283856)
+++ contrib/sendmail/src/tls.c	(working copy)
@@ -650,7 +650,7 @@
 	**  1024	generate 1024 bit parameters
 	**  2048	generate 2048 bit parameters
 	**  /file/name	read parameters from /file/name
-	**  default is: 1024 for server, 512 for client (OK? XXX)
+	**  default is: 1024
 	*/
 
 	if (bitset(TLS_I_TRY_DH, req))
@@ -676,8 +676,8 @@
 		}
 		if (dhparam == NULL)
 		{
-			dhparam = srv ? "1" : "5";
-			req |= (srv ? TLS_I_DH1024 : TLS_I_DH512);
+			dhparam = "1";
+			req |= TLS_I_DH1024;
 		}
 		else if (*dhparam == '/')
 		{
Index: contrib/sendmail/src/sendmail.h
==================================================================---
contrib/sendmail/src/sendmail.h	(revision 283856)
+++ contrib/sendmail/src/sendmail.h	(working copy)
@@ -1935,7 +1935,7 @@
 
 /* server requirements */
 #define TLS_I_SRV	(TLS_I_SRV_CERT | TLS_I_RSA_TMP | TLS_I_VRFY_PATH | \
-			 TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH512 | \
+			 TLS_I_VRFY_LOC | TLS_I_TRY_DH | TLS_I_DH1024 | \
 			 TLS_I_CACHE)
 
 /* client requirements */