On Fri, Jul 10, 2015 at 6:53 AM, Franchisseur Robert
<[log in to unmask]> wrote:
> Hello,
>
> since last security update of openssl I cannot send mail with sendmail
> on SL5
>
> on client side I got :
>
> Jul  8 02:50:18 localhost sendmail[14301]: STARTTLS=client, error: connect failed=-1, SSL_error=1,errno=0, retry=-1
> Jul  8 02:50:18 localhost sendmail[14301]: STARTTLS=client: 14301:error:14082174:SSLroutines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:2429:
> Jul  8 02:50:18 localhost sendmail[14301]: t680oDCp014299: to=<[log in to unmask]>, delay=00:00:05,xdelay=00:00:05, mailer=smtp, pri=120973, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: 4034.7.0 server not authenticated.
>
> and on server side :
>
> Jul  8 02:50:10 manne sendmail[14056]: STARTTLS=server, error: accept failed=0, SSL_error=1, errno=0,retry=-1
> Jul  8 02:50:10 manne sendmail[14056]: STARTTLS=server: 14056:error:14094410:SSLroutines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1092:SSL alert number 40
> Jul  8 02:50:10 manne sendmail[14056]: t680oA5j014056: gurtu2.lmd.jussieu.fr [134.157.176.59] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
>
> so I had to downgrade openssl on both sides to make that work.
>
> Does anyone knows what is to be done to use the last openssl ?

This must be related to :

https://bugzilla.redhat.com/show_bug.cgi?id=1228892

Comment 3 says, "That means the servers use seriously insecure DH
parameters (shorter than 768 bits).

Can you specify the TLS ciphersuite string in the client? If so, just
set DEFAULT:!EDH:!DHE as the ciphersuites and you should be able to
connect."

Akemi