Hi,
I updated openssl version to 1.0.1p (to address logjam) and configured
sendmail.
To verify the logjam fix, I used openssl s_client and connected to the smtp
server.
---
Default log:
$ openssl s_client -starttls smtp -crlf -connect 127.0.0.1:25 -cipher EXP
CONNECTED(0003)
140482363598496:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure:s23_clnt.c:757:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 443 bytes and written 108 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
$ openssl s_client -starttls smtp -crlf -connect 127.0.0.1:25 -cipher
EXP-EDH-RSA-DES-CBC-SHA
CONNECTED(0003)
140483069028000:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
alert handshake failure:s23_clnt.c:757:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 443 bytes and written 134 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
Now, I configured sendmail to set the CIPHER LIST as ALL
$cat /etc/mail/sendmail.cf
.
.
O DHParameters=5
O CipherList=ALL
$
Here, I observe that smtp is allowing connections with
EXP-EDH-RSA-DES-CBC-SHA ciphers
--
Log:
--
$ openssl s_client -starttls smtp -crlf -connect 127.0.0.1:25
CONNECTED(0003)
depth=1 C = In, ST = Kar, L = Ban, O = IBM, CN = test
verify error:num=19:self signed certificate in certificate chain
verify return:0
140467858261664:error:14082174:SSL
routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:3366:
---
Certificate chain
0 s:/C=In/ST=Kar/L=Ban/O=IBM/CN=test
i:/C=In/ST=Kar/L=Ban/O=IBM/CN=test
1 s:/C=In/ST=Kar/L=Ban/O=IBM/CN=test
i:/C=In/ST=Kar/L=Ban/O=IBM/CN=test
---
Server certificate
-BEGIN CERTIFICATE-
MIICfTCCAeagAwIBAgIBATANBgkqhkiG9w0BAQUFADBGMQswCQYDVQQGEwJJbjEM
MAoGA1UECAwDS2FyMQwwCgYDVQQHDANCYW4xDDAKBgNVBAoMA0lCTTENMAsGA1UE
AwwEdGVzdDAeFw0xNTA4MDMxMDM0NDlaFw0xNjA4MDIxMDM0NDlaMEYxCzAJBgNV
BAYTAkluMQwwCgYDVQQIDANLYXIxDDAKBgNVBAcMA0JhbjEMMAoGA1UECgwDSUJN
MQ0wCwYDVQQDDAR0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvezpb
zeN3b246bSI240IO2SXjk1IQVCdFY88LDurJPUZ6ifkPXm4XD32HfpXYrCCBYPHz
fw5TjOIbAsyl7qSmeidKExapkvuWOhcnTfUIQabOJ6lJnDtWBRX31SXvP8TyuP7u
qD6sJsSFq2ZhHNqvXcmKlpKMKSPjikB7uatkyQIDAQABo3sweTAJBgNVHRMEAjAA
MCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAd
BgNVHQ4EFgQULHCyiorz14LsQKUYOpYP2UdtzE8wHwYDVR0jBBgwFoAUVw8ulnsu
iWYgrABr1o8JYlXXFJcwDQYJKoZIhvcNAQEFBQADgYEAj7oMBUwMaheaVo6VgS+r
QyBzfPfZG6npRf65cpn9k5zyEqgn/B+3zFRw3oODo8zkQu3pF3+mOFsdaxsQfuGg
u0aTWSs3EC8dNW4UxfNXIS82PH9cmVSi9go8+2w0InAQF+n13IT87nHDfgPjvZVO
yDjGIxDUqyRCmiWoh8g0LyA=
-END CERTIFICATE-
subject=/C=In/ST=Kar/L=Ban/O=IBM/CN=test
issuer=/C=In/ST=Kar/L=Ban/O=IBM/CN=test
---
No client certificate CA names sent
---
SSL handshake has read 2040 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher:
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1438601133
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
$
$ openssl s_client -starttls smtp -crlf -connect 127.0.0.1:25 -cipher
EXP-EDH-RSA-DES-CBC-SHA
CONNECTED(0003)
depth=1 C = In, ST = Kar, L = Ban, O = IBM, CN = test
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=In/ST=Kar/L=Ban/O=IBM/CN=test
i:/C=In/ST=Kar/L=Ban/O=IBM/CN=test
1 s:/C=In/ST=Kar/L=Ban/O=IBM/CN=test
i:/C=In/ST=Kar/L=Ban/O=IBM/CN=test
---
Server certificate
-BEGIN CERTIFICATE-
MIICfTCCAeagAwIBAgIBATANBgkqhkiG9w0BAQUFADBGMQswCQYDVQQGEwJJbjEM
MAoGA1UECAwDS2FyMQwwCgYDVQQHDANCYW4xDDAKBgNVBAoMA0lCTTENMAsGA1UE
AwwEdGVzdDAeFw0xNTA4MDMxMDM0NDlaFw0xNjA4MDIxMDM0NDlaMEYxCzAJBgNV
BAYTAkluMQwwCgYDVQQIDANLYXIxDDAKBgNVBAcMA0JhbjEMMAoGA1UECgwDSUJN
MQ0wCwYDVQQDDAR0ZXN0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCvezpb
zeN3b246bSI240IO2SXjk1IQVCdFY88LDurJPUZ6ifkPXm4XD32HfpXYrCCBYPHz
fw5TjOIbAsyl7qSmeidKExapkvuWOhcnTfUIQabOJ6lJnDtWBRX31SXvP8TyuP7u
qD6sJsSFq2ZhHNqvXcmKlpKMKSPjikB7uatkyQIDAQABo3sweTAJBgNVHRMEAjAA
MCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAd
BgNVHQ4EFgQULHCyiorz14LsQKUYOpYP2UdtzE8wHwYDVR0jBBgwFoAUVw8ulnsu
iWYgrABr1o8JYlXXFJcwDQYJKoZIhvcNAQEFBQADgYEAj7oMBUwMaheaVo6VgS+r
QyBzfPfZG6npRf65cpn9k5zyEqgn/B+3zFRw3oODo8zkQu3pF3+mOFsdaxsQfuGg
u0aTWSs3EC8dNW4UxfNXIS82PH9cmVSi9go8+2w0InAQF+n13IT87nHDfgPjvZVO
yDjGIxDUqyRCmiWoh8g0LyA=
-END CERTIFICATE-
subject=/C=In/ST=Kar/L=Ban/O=IBM/CN=test
issuer=/C=In/ST=Kar/L=Ban/O=IBM/CN=test
---
Acceptable client certificate CA names
/C=In/ST=Kar/L=Ban/O=IBM/CN=