pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

OpenSSL 1.0.1g and sendmail/postfix TLS handshakes

The upgrade to OpenSSL 1.0.1g included more than just the Heartbleed fix. A workaround for TLS v1.2 interoperability with F5 load-balancers was sneaked in too. This causes problems with some IronPort email appliances and unfortunately, these seem to be annoying common. Sendmail just fails with TLS handshake failed and does not fall back to plain text.

There are a couple of workarounds:
1) Compile OpenSSL with #define TLSEXT_TYPE_padding 21 commented out
2) Build sendmail with -D_FFR_TLS_1 and then use ClientSSLOptions to disable TLS v1.2 (postfix users would need to handle this differently).




Home | Main Index | Thread Index | Old Index