From owner-svn-src-stable@FreeBSD.ORG Wed Jun 17 03:22:19 2015 Return-Path: Delivered-To: svn-src-stable@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6AE3A70; Wed, 17 Jun 2015 03:22:19 +0000 (UTC) (envelope-from gshapiro@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 583DC113; Wed, 17 Jun 2015 03:22:19 +0000 (UTC) (envelope-from gshapiro@FreeBSD.org) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t5H3MJRD093562; Wed, 17 Jun 2015 03:22:19 GMT (envelope-from gshapiro@FreeBSD.org) Received: (from gshapiro@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t5H3MJ5Q093561; Wed, 17 Jun 2015 03:22:19 GMT (envelope-from gshapiro@FreeBSD.org) Message-Id: <201506170322.t5H3MJ5Q093561@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: gshapiro set sender to gshapiro@FreeBSD.org using -f From: Gregory Neil Shapiro Date: Wed, 17 Jun 2015 03:22:19 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org Subject: svn commit: r284491 - stable/8/contrib/sendmail/src X-SVN-Group: stable-8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Jun 2015 03:22:19 -0000 Author: gshapiro Date: Wed Jun 17 03:22:18 2015 New Revision: 284491 URL: https://svnweb.freebsd.org/changeset/base/284491 Log: MFC: The import of openssl to address the FreeBSD-SA-15:10.openssl security advisory includes a change which rejects handshakes with DH parameters below 768 bits. sendmail releases prior to 8.15.2 (not yet released), defaulted to a 512 bit DH parameter setting for client connections. This commit chages that default to 1024 bits. sendmail 8.15.2, when released well use a default of 2048 bits. Modified: stable/8/contrib/sendmail/src/tls.c Directory Properties: stable/8/contrib/sendmail/ (props changed) Modified: stable/8/contrib/sendmail/src/tls.c ============================================================================== --- stable/8/contrib/sendmail/src/tls.c Wed Jun 17 03:19:31 2015 (r284490) +++ stable/8/contrib/sendmail/src/tls.c Wed Jun 17 03:22:18 2015 (r284491) @@ -650,7 +650,7 @@ inittls(ctx, req, options, srv, certfile ** 1024 generate 1024 bit parameters ** 2048 generate 2048 bit parameters ** /file/name read parameters from /file/name - ** default is: 1024 for server, 512 for client (OK? XXX) + ** default is: 1024 */ if (bitset(TLS_I_TRY_DH, req)) @@ -676,8 +676,8 @@ inittls(ctx, req, options, srv, certfile } if (dhparam == NULL) { - dhparam = srv ? "1" : "5"; - req |= (srv ? TLS_I_DH1024 : TLS_I_DH512); + dhparam = "1"; + req |= TLS_I_DH1024; } else if (*dhparam == '/') {