Solved 10.1-RELEASE-p13 sendmail dh key too small

Anubas · Jun 19, 2015

I just upgraded to 10.1-RELEASE-p13 and am still seeing the following error in /var/log/maillog when trying to send mail.

Code:

Jun 19 13:55:06 server sendmail[1794]: STARTTLS=client, error: connect failed=-1, reason=dh key too small, SSL_error=1, errno=0, retry=-1

I thought that p13 fixed this issue. Did I misunderstand the errata notice?
https://www.freebsd.org/security/advisories/FreeBSD-EN-15:08.sendmail.asc

Thanks!

Note: Prior to the p13 release, I used the following commands on other servers to fix this issue.

Code:

cd /etc/mail/certs
sudo openssl dhparam -out dh.param -2 2048
sudo service sendmail restart

wblock@ · Jun 20, 2015

As I understand it, both the patch and regenerating dh.param were needed.

Anubas · Jun 20, 2015

The workaround section is what you follow if you are not going to patch your system, correct? If that is the case, then the dh.param regeneration steps should also be added to the solution section if they are required. If the regeneration steps are not required then p13 does not fully solve the problem.

sysconfig · Jun 21, 2015

My understanding is that a patch and an updated Errata notice are on their way and going to be published soon, possibly tomorrow:
http://lists.freebsd.org/pipermail/freebsd-stable/2015-June/082554.html

Anubas · Jul 3, 2015

10.1-RELEASE-p14 solved the issue.

Solved 10.1-RELEASE-p13 sendmail dh key too small

Anubas

wblock@

Anubas

sysconfig

Anubas