ECDH support for sendmail

To: pkgsrc-users%netbsd.org@localhost
Subject: ECDH support for sendmail
From: manu%netbsd.org@localhost (Emmanuel Dreyfus)
Date: Tue, 5 Nov 2013 06:22:40 +0100

Hi

If nobody complain, I would like to commit this patch, which brings
optional ECDH support to the sendmail package:
http://ftp.Espci.fr/shadow/manu/sendmail-ecdh.patch

For anyone interested, I build sendmail with 
PKG_OPTIONS.sendmail=tls ffr_tls_1 ecdh

And I have the following in sendmail.cf:

O CACertPath=/etc/openssl/certs/
O CACertFile=/etc/openssl/certs/tcs-chain.crt
O ServerCertFile=/etc/openssl/certs/server.crt
O ServerKeyFile=/etc/openssl/private/server.key
O DHParameters=/etc/openssl/certs/dh1024.pem
O CipherList=ECDH@STRENGTH:DH@STRENGTH:HIGH:!RC4:!MD5:!DES:!aNULL:!eNULL
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_CIPHER_SERVER_PREFERENCE

Results:

Nov  5 04:10:22 valmont sendmail[18367]: STARTTLS=client,
relay=server.example.com., version=TLSv1/SSLv3, verify=FAIL,
cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128/128

Nov  5 05:52:13 valmont sendmail[17789]: STARTTLS=server,
relay=host.example.net [192.0.2.159], version=TLSv1/SSLv3, verify=NO,
cipher=ECDHE-RSA-AES256-SHA, bits=256/256

Notes on compatibility: I forbid RC4 in CipherList after observing in
the logs that nobody tries to negociate it. On the other hand, I tried
ClientSSLOptions=+SSL_OP_NO_SSLv2 but that breaks many outgoing
connexions.




-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu%netbsd.org@localhost

Follow-Ups:
- Re: ECDH support for sendmail
  - From: John Nemeth
- Re: ECDH support for sendmail
  - From: Greg Troxel

Prev by Date: Re: Firefox 24 doesn't restore session
Next by Date: fallout from recent Lua changes
Previous by Thread: Re: CVS commit: pkgsrc/x11/xf86-input-keyboard
Next by Thread: Re: ECDH support for sendmail
Indexes:

Home | Main Index | Thread Index | Old Index