pkgsrc-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
ECDH support for sendmail
Hi
If nobody complain, I would like to commit this patch, which brings
optional ECDH support to the sendmail package:
http://ftp.Espci.fr/shadow/manu/sendmail-ecdh.patch
For anyone interested, I build sendmail with
PKG_OPTIONS.sendmail=tls ffr_tls_1 ecdh
And I have the following in sendmail.cf:
O CACertPath=/etc/openssl/certs/
O CACertFile=/etc/openssl/certs/tcs-chain.crt
O ServerCertFile=/etc/openssl/certs/server.crt
O ServerKeyFile=/etc/openssl/private/server.key
O DHParameters=/etc/openssl/certs/dh1024.pem
O CipherList=ECDH@STRENGTH:DH@STRENGTH:HIGH:!RC4:!MD5:!DES:!aNULL:!eNULL
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_CIPHER_SERVER_PREFERENCE
Results:
Nov 5 04:10:22 valmont sendmail[18367]: STARTTLS=client,
relay=server.example.com., version=TLSv1/SSLv3, verify=FAIL,
cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128/128
Nov 5 05:52:13 valmont sendmail[17789]: STARTTLS=server,
relay=host.example.net [192.0.2.159], version=TLSv1/SSLv3, verify=NO,
cipher=ECDHE-RSA-AES256-SHA, bits=256/256
Notes on compatibility: I forbid RC4 in CipherList after observing in
the logs that nobody tries to negociate it. On the other hand, I tried
ClientSSLOptions=+SSL_OP_NO_SSLv2 but that breaks many outgoing
connexions.
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu%netbsd.org@localhost
Home |
Main Index |
Thread Index |
Old Index