On Fri, Jul 10, 2015 at 6:53 AM, Franchisseur Robert <rob...@franchisseur.fr> wrote: > Hello, > > since last security update of openssl I cannot send mail with sendmail > on SL5 > > on client side I got : > > Jul 8 02:50:18 localhost sendmail[14301]: STARTTLS=client, error: connect > failed=-1, SSL_error=1,errno=0, retry=-1 > Jul 8 02:50:18 localhost sendmail[14301]: STARTTLS=client: > 14301:error:14082174:SSLroutines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too > small:s3_clnt.c:2429: > Jul 8 02:50:18 localhost sendmail[14301]: t680oDCp014299: > to=<rob...@franchisseur.fr>, delay=00:00:05,xdelay=00:00:05, mailer=smtp, > pri=120973, relay=[127.0.0.1] [127.0.0.1], dsn=4.0.0, stat=Deferred: 4034.7.0 > server not authenticated. > > and on server side : > > Jul 8 02:50:10 manne sendmail[14056]: STARTTLS=server, error: accept > failed=0, SSL_error=1, errno=0,retry=-1 > Jul 8 02:50:10 manne sendmail[14056]: STARTTLS=server: > 14056:error:14094410:SSLroutines:SSL3_READ_BYTES:sslv3 alert handshake > failure:s3_pkt.c:1092:SSL alert number 40 > Jul 8 02:50:10 manne sendmail[14056]: t680oA5j014056: gurtu2.lmd.jussieu.fr > [134.157.176.59] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA > > so I had to downgrade openssl on both sides to make that work. > > Does anyone knows what is to be done to use the last openssl ?
This must be related to : https://bugzilla.redhat.com/show_bug.cgi?id=1228892 Comment 3 says, "That means the servers use seriously insecure DH parameters (shorter than 768 bits). Can you specify the TLS ciphersuite string in the client? If so, just set DEFAULT:!EDH:!DHE as the ciphersuites and you should be able to connect." Akemi
