LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

July 2015

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS July 2015

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: SL5 problem with sendmail an openssl [SOLVED]
From:	FRANCHISSEUR Robert <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Sun, 12 Jul 2015 01:52:38 +0200
Content-Type:	multipart/signed
Parts/Attachments:	text/plain (2435 bytes) , application/pgp-signature (194 bytes)

-- Le (On) 2015-07-10 -0700 à (at) 08:59:56 Akemi Yagi écrivit (wrote): --

> On Fri, Jul 10, 2015 at 6:53 AM, Franchisseur Robert
> <[log in to unmask]> wrote:
> > Hello,
> >
> > since last security update of openssl I cannot send mail with sendmail
> > on SL5
> > <snip>
> >
> > so I had to downgrade openssl on both sides to make that work.
> >
> > Does anyone knows what is to be done to use the last openssl ?
> 
> This must be related to :
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1228892
> 
> Comment 3 says, "That means the servers use seriously insecure DH
> parameters (shorter than 768 bits).
> 
> Can you specify the TLS ciphersuite string in the client? If so, just
> set DEFAULT:!EDH:!DHE as the ciphersuites and you should be able to
> connect."
> 
> Akemi

       Thank you Akemi it works well on the clients.


-- Le (On) 2015-07-10 +0000 à (at) 16:19:53 Brandon Vincent (Student) écrivit (wrote): --

> I'd just update the server size configuration to use more robust Diffie-Hellman parameters.
> 
> Generate the parameters:
> openssl dhparam -out dhparam.pem -2 2048
> 
> In your sendmail.cf:
> define(`confDH_PARAMETERS',`/etc/mail/certs/dhparam.pem')
> 
> Brandon Vincent

       Thank you Brandon,

       I  did that on the server and then I do not have to make Akami
       workaround on clients.


-- Le (On) 2015-07-10 -0400 à (at) 17:10:10 R P Herrold écrivit (wrote): --

> On Fri, 10 Jul 2015, Franchisseur Robert wrote:
> 
> > since last security update of openssl I cannot send mail with sendmail
> > on SL5
> 
> I confirm that we received the same error when we applied the 
> OpenSSL update, and had to revert as well; remember to add an 
> 'exclude' rule in yum.conf to block it against future updates
> 
> We are in the process of leaving '5' for mailservers and 
> webservers (to get the alter TLS versions), so are not 
> actively seeking a fix
> 
> -- Russ herrold

       Thank you Russ,

       you can make Brandon workaround before upgrading SL
       it works very well.

-- 
                 Best regards,
                               Robert FRANCHISSEUR
 ____ Apollo_gist :-)_______________________________________________
| Robert FRANCHISSEUR                 Phone  : +33 (0)950  635  636 |
| 30 rue René Hamon                   Phone  : +33 (0)1 46 78 37 29 |
| F-94800 VILLEJUIF            e-mail : Robert at Franchisseur . fr |
 -------------------------------------------------------------------

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV