Date: Sun, 14 Jun 2015 20:23:33 -0700 From: Gregory Shapiro <gshapiro@gshapiro.net> To: Frank Seltzer <frank_s@bellsouth.net> Cc: freebsd-stable@freebsd.org Subject: Re: Sendmail problem after upgrade to r284296 Message-ID: <20150615032333.GE21822@minime.local> In-Reply-To: <alpine.BSF.2.20.1506142236490.853@Ace.nina.org> References: <alpine.BSF.2.20.1506141014130.852@Ace.nina.org> <20150614165507.GD95564@minime.local> <alpine.BSF.2.20.1506141333131.852@Ace.nina.org> <20150614180142.GE95564@minime.local> <alpine.BSF.2.20.1506141952140.853@Ace.nina.org> <20150615013517.GA19755@minime.local> <alpine.BSF.2.20.1506142236490.853@Ace.nina.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> I created it per your instructions. See above about it not existing
> previously.
Oh, sorry for the confusion. Seems an emergency patch is in order to change the default.
Would you be willing to test this patch (apply, build, install, remove dh.params file, and restart)?
The patch changes the client and server default to 2048 (previous 512 and 1024) to help mitigate LogJam/WeakDH.
Index: src/tls.c
===================================================================
--- src/tls.c (revision 284402)
+++ src/tls.c (working copy)
@@ -676,8 +676,8 @@
}
if (dhparam == NULL)
{
- dhparam = srv ? "1" : "5";
- req |= (srv ? TLS_I_DH1024 : TLS_I_DH512);
+ dhparam = "2";
+ req |= TLS_I_DH2048;
}
else if (*dhparam == '/')
{
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150615032333.GE21822>