pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: OpenSSL 1.0.1g and sendmail/postfix TLS handshakes

On Wed, Jul 02, 2014 at 09:50:55AM -0400, Greg Troxel wrote:
> Stephen Borrill <> writes:
> > The upgrade to OpenSSL 1.0.1g included more than just the Heartbleed
> > fix. A workaround for TLS v1.2 interoperability with F5 load-balancers
> > was sneaked in too. This causes problems with some IronPort email
> > appliances and unfortunately, these seem to be annoying
> > common. Sendmail just fails with TLS handshake failed and does not
> > fall back to plain text.
> >
> > There are a couple of workarounds:
> > 1) Compile OpenSSL with #define TLSEXT_TYPE_padding 21 commented out
> > 2) Build sendmail with -D_FFR_TLS_1 and then use ClientSSLOptions to
> > disable TLS v1.2 (postfix users would need to handle this
> > differently).
> This seems like quite a mess.  As I understand it, the F5 devices are
> buggy, and there's a protocol change to avoid that, and that change
> exposes bugs on the ironport devices (referenced to the older specs,
> which say this new padding extension should be ignored, presumably).
> It seems like the right fix is for sendmail to retry without TLS (if
> it's not configured to require TLS, of course).  Taking the extension
> out of openssl seems reasonable as well, since only buggy peers need it.
> Downgrading TLS for all mail seems less reasonable, as it has a negative
> impact on communications with standards-conforming peers.
> Another idea is to make the openssl use of the extension configurable,
> so that it can be easily disabled without rebuilding.

It seems that this has now been addressed in

so "the padding extension is no longer used by default" since 1 June 2014.

I think the padding option should should just be zapped from pkgsrc, and
the next openssl update will make it easy for F5 users to enable the
work around.




Home | Main Index | Thread Index | Old Index