-- Le (On) 2015-07-10 -0700 à (at) 08:59:56 Akemi Yagi écrivit (wrote): --
> On Fri, Jul 10, 2015 at 6:53 AM, Franchisseur Robert > <rob...@franchisseur.fr> wrote: > > Hello, > > > > since last security update of openssl I cannot send mail with sendmail > > on SL5 > > <snip> > > > > so I had to downgrade openssl on both sides to make that work. > > > > Does anyone knows what is to be done to use the last openssl ? > > This must be related to : > > https://bugzilla.redhat.com/show_bug.cgi?id=1228892 > > Comment 3 says, "That means the servers use seriously insecure DH > parameters (shorter than 768 bits). > > Can you specify the TLS ciphersuite string in the client? If so, just > set DEFAULT:!EDH:!DHE as the ciphersuites and you should be able to > connect." > > Akemi Thank you Akemi it works well on the clients. -- Le (On) 2015-07-10 +0000 à (at) 16:19:53 Brandon Vincent (Student) écrivit (wrote): -- > I'd just update the server size configuration to use more robust > Diffie-Hellman parameters. > > Generate the parameters: > openssl dhparam -out dhparam.pem -2 2048 > > In your sendmail.cf: > define(`confDH_PARAMETERS',`/etc/mail/certs/dhparam.pem') > > Brandon Vincent Thank you Brandon, I did that on the server and then I do not have to make Akami workaround on clients. -- Le (On) 2015-07-10 -0400 à (at) 17:10:10 R P Herrold écrivit (wrote): -- > On Fri, 10 Jul 2015, Franchisseur Robert wrote: > > > since last security update of openssl I cannot send mail with sendmail > > on SL5 > > I confirm that we received the same error when we applied the > OpenSSL update, and had to revert as well; remember to add an > 'exclude' rule in yum.conf to block it against future updates > > We are in the process of leaving '5' for mailservers and > webservers (to get the alter TLS versions), so are not > actively seeking a fix > > -- Russ herrold Thank you Russ, you can make Brandon workaround before upgrading SL it works very well. -- Best regards, Robert FRANCHISSEUR ____ Apollo_gist :-)_______________________________________________ | Robert FRANCHISSEUR Phone : +33 (0)950 635 636 | | 30 rue René Hamon Phone : +33 (0)1 46 78 37 29 | | F-94800 VILLEJUIF e-mail : Robert at Franchisseur . fr | -------------------------------------------------------------------
pgpZyGYo1Nh3G.pgp
Description: PGP signature