OpenSSL 1.0.1g and sendmail/postfix TLS handshakes

To: pkgsrc-users%netbsd.org@localhost
Subject: OpenSSL 1.0.1g and sendmail/postfix TLS handshakes
From: Stephen Borrill <netbsd%precedence.co.uk@localhost>
Date: Wed, 2 Jul 2014 08:22:57 +0100 (BST)

The upgrade to OpenSSL 1.0.1g included more than just the Heartbleed fix.A workaround for TLS v1.2 interoperability with F5 load-balancers wassneaked in too. This causes problems with some IronPort email appliancesand unfortunately, these seem to be annoying common. Sendmail just failswith TLS handshake failed and does not fall back to plain text.


There are a couple of workarounds:
1) Compile OpenSSL with #define TLSEXT_TYPE_padding 21 commented out

2) Build sendmail with -D_FFR_TLS_1 and then use ClientSSLOptions todisable TLS v1.2 (postfix users would need to handle this differently).


Opinions?

Refs:
https://groups.google.com/forum/#!topic/comp.mail.sendmail/SXR51LaIB_U
http://postfix.1071664.n5.nabble.com/OpenSSL-1-0-1g-and-Ironport-SMTP-appliances-interop-issue-td66873.html
http://www.mail-archive.com/openssl-users%openssl.org@localhost/msg73478.html

--
Stephen

Follow-Ups:
- Re: OpenSSL 1.0.1g and sendmail/postfix TLS handshakes
  - From: Greg Troxel

Prev by Date: Re: x11/motif fails to build under Linux
Next by Date: Re: WindowMaker crashing - debugging
Previous by Thread: Problem building multimedia/ffmpeg2 on Haiku
Next by Thread: Re: OpenSSL 1.0.1g and sendmail/postfix TLS handshakes
Indexes:

Home | Main Index | Thread Index | Old Index