Bug#461802: Default DH prime size too small for gnutls clients
Jim Paris
Version: 8.14.1-9
Severity: wishlist
Hi,
After upgrading ssmtp to a version that linked against gnutls instead
of openssl, I found that it simply didn't work anymore when using
client certificate authentication. I added debugging to ssmtp and it
was reporting:
The Diffie Hellman prime sent by the server is not acceptable (not long enough).
On my Sendmail server, I did some searching and eventually found
that I could fix this by running:
openssl dhparam -out dhparam.pem -2 1024
and adding to /etc/mail/tls/starttls.m4:
define(`confDH_PARAMETERS',`/etc/mail/tls/dhparam.pem')dnl
This did the trick and ssmtp works again. Since gnutls is probably
complaining about the small prime for a legit security-related reason,
I think it would make sense for sendmail to use a larger one by
default.
-jim
-- Package-specific info:
Ouput of /usr/share/bug/sendmail/script:
ls -alR /etc/mail:
/etc/mail:
total 339
drwxr-sr-x 7 smmta smmsp 920 Jan 20 17:00 .
drwxr-xr-x 173 root root 10656 Jan 18 05:03 ..
-rwxr-xr-- 1 root smmsp 11604 Jan 20 17:00 Makefile
-rw------- 1 smmta smmsp 67 Nov 5 04:50 access
-rw-r----- 1 smmta smmsp 12288 Nov 5 04:50 access.db
-rw-r--r-- 1 root root 281 Sep 5 2004 address.resolve
lrwxrwxrwx 1 root smmsp 10 Jan 17 2004 aliases -> ../aliases
-rw-r----- 1 smmta smmsp 12288 Nov 5 04:50 aliases.db
-rw-r--r-- 1 root smmsp 3668 Jan 20 17:00 databases
-rw-r----- 1 smmta smmsp 46 May 19 2004 default-auth-info
-rw-r--r-- 1 root root 5657 Aug 18 05:31 helpfile
-rw-r--r-- 1 root smmsp 182 Oct 31 17:30 local-host-names
drwxr-sr-x 2 smmta smmsp 144 Sep 9 00:34 m4
drwxr-xr-x 2 root root 72 Nov 5 04:50 peers
-rw-r--r-- 1 root smmsp 39 Oct 15 20:19 relay-domains
drwxr-xr-x 2 smmta smmsp 104 May 19 2004 sasl
-rw-r--r-- 1 root smmsp 61752 Jan 20 17:00 sendmail.cf
-rw-r--r-- 1 root root 61404 Nov 5 04:50 sendmail.cf.old
-rw-r--r-- 1 root root 11871 Nov 5 04:50 sendmail.conf
-rw-r--r-- 1 root smmsp 2844 Oct 25 2005 sendmail.mc
-rw-r--r-- 1 root root 149 Jan 15 2001 service.switch
-rw-r--r-- 1 root root 180 Jan 15 2001 service.switch-nodns
drwxr-sr-x 2 smmta smmsp 104 Feb 15 2004 smrsh
lrwxrwxrwx 1 root root 15 Oct 3 19:52 spamassassin -> ../spamassassin
-rw-r--r-- 1 root smmsp 45132 Nov 5 04:50 submit.cf
-rw-r--r-- 1 root root 44861 Nov 5 04:50 submit.cf.old
-rw-r--r-- 1 root smmsp 2391 Nov 5 04:50 submit.mc
drwxr-xr-x 2 smmta smmsp 544 Jan 20 17:00 tls
-rw-r--r-- 1 root smmsp 8 May 21 2004 trusted-users
-rw-r--r-- 1 root smmsp 523 Feb 8 2007 virtusertable
-rw-r----- 1 root smmsp 12288 Nov 5 04:50 virtusertable.db
/etc/mail/m4:
total 5
drwxr-sr-x 2 smmta smmsp 144 Sep 9 00:34 .
drwxr-sr-x 7 smmta smmsp 920 Jan 20 17:00 ..
-rw-r--r-- 1 root root 789 Aug 21 2005 clamav-milter.m4
-rw-r----- 1 root smmsp 0 Dec 19 2003 dialup.m4
-rw-r----- 1 root smmsp 0 Dec 19 2003 provider.m4
/etc/mail/peers:
total 5
drwxr-xr-x 2 root root 72 Nov 5 04:50 .
drwxr-sr-x 7 smmta smmsp 920 Jan 20 17:00 ..
-rw-r--r-- 1 root root 328 Jul 17 2001 provider
/etc/mail/sasl:
total 9
drwxr-xr-x 2 smmta smmsp 104 May 19 2004 .
drwxr-sr-x 7 smmta smmsp 920 Jan 20 17:00 ..
-rw-r----- 1 smmta smmsp 701 May 19 2004 Sendmail.conf.2
-rwxr--r-- 1 root root 3665 Nov 5 04:50 sasl.m4
/etc/mail/smrsh:
total 1
drwxr-sr-x 2 smmta smmsp 104 Feb 15 2004 .
drwxr-sr-x 7 smmta smmsp 920 Jan 20 17:00 ..
lrwxrwxrwx 1 root root 26 Jan 17 2004 mail.local -> /usr/lib/sm.bin/mail.local
lrwxrwxrwx 1 root root 17 Jan 17 2004 procmail -> /usr/bin/procmail
/etc/mail/tls:
total 49
drwxr-xr-x 2 smmta smmsp 544 Jan 20 17:00 .
drwxr-sr-x 7 smmta smmsp 920 Jan 20 17:00 ..
-rw-r----- 1 root smmsp 245 Jan 20 16:58 dhparam.pem
-rw-r----- 1 root smmsp 887 Jan 20 16:50 neurosis-sendmail.key
-rw-r--r-- 1 root smmsp 749 Jan 20 16:50 neurosis-sendmail.pem
-rw-r--r-- 1 root root 7 Dec 19 2003 no_prompt
-rw------- 1 root root 1191 Oct 26 2005 sendmail-client.cfg
-rw-r--r-- 1 root smmsp 1200 Oct 26 2005 sendmail-client.crt
-rw------- 1 root root 1001 Oct 26 2005 sendmail-client.csr
-rw-r----- 1 root smmsp 1679 Oct 26 2005 sendmail-common.key
-rw------- 1 root root 0 Oct 26 2005 sendmail-common.prm
-rw------- 1 root root 1191 Oct 26 2005 sendmail-server.cfg
-rw-r--r-- 1 root smmsp 1200 Oct 26 2005 sendmail-server.crt
-rw------- 1 root root 1001 Oct 26 2005 sendmail-server.csr
-rwxr--r-- 1 root root 3219 Jan 20 17:00 starttls.m4
sendmail.conf:
DAEMON_NETMODE="Dynamic";
DAEMON_NETIF="eth0";
DAEMON_MODE="Daemon";
DAEMON_PARMS="";
DAEMON_HOSTSTATS="No";
DAEMON_MAILSTATS="No";
QUEUE_MODE="${DAEMON_MODE}";
QUEUE_INTERVAL="5m";
QUEUE_PARMS="";
MSP_MODE="Daemon";
MSP_INTERVAL="10m";
MSP_PARMS="";
MSP_MAILSTATS="No";
MISC_PARMS="";
CRON_MAILTO="jim";
CRON_PARMS="";
LOG_CMDS="No";
HANDS_OFF="No";
AGE_DATA="";
DAEMON_RUNASUSER="No";
DAEMON_STATS="${DAEMON_MAILSTATS}";
MSP_STATS="${MSP_MAILSTATS}";
sendmail.mc:
divert(-1)dnl
divert(0)dnl
define(`_USE_ETC_MAIL_')dnl
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
VERSIONID(`$Id: sendmail.mc, v 8.12.9-5 2003-07-01 23:39:44 cowboy Exp $')
OSTYPE(`debian')dnl
DOMAIN(`debian-mta')dnl
undefine(`confHOST_STATUS_DIRECTORY')dnl #DAEMON_HOSTSTATS
LOCAL_CONFIG
FEATURE(`masquerade_envelope')dnl
FEATURE(`always_add_domain')dnl
FEATURE(`virtusertable', `hash /etc/mail/virtusertable')dnl
LOCAL_CONFIG
Cwjim.sh
FEATURE(`use_cw_file')dnl
FEATURE(`use_ct_file')dnl
FEATURE(`redirect')dnl
FEATURE(`access_db')dnl
include(`/etc/mail/m4/dialup.m4')dnl
include(`/etc/mail/m4/provider.m4')dnl
MAILER_DEFINITIONS
MAILER(local)dnl
MAILER(smtp)dnl
LOCAL_CONFIG
MODIFY_MAILER_FLAGS(`LOCAL', `+9')dnl
define(`confQUEUE_LA', `8')dnl
define(`confREFUSE_LA', `16')dnl
LOCAL_RULE_0
R$+ <@ $* jfat.org .> $1 <@ $2 jfet.org .>
define(`confHOST_STATUS_DIRECTORY', `')dnl
define(`confTO_IDENT', `0s')dnl
include(`/etc/mail/tls/starttls.m4')dnl
include(`/etc/mail/sasl/sasl.m4')dnl
include(`/etc/mail/m4/clamav-milter.m4')dnl
submit.mc...
divert(-1)dnl
divert(0)dnl
define(`_USE_ETC_MAIL_')dnl
include(`/usr/share/sendmail/cf/m4/cf.m4')dnl
VERSIONID(`$Id: submit.mc, v 8.12.9-5 2003-07-01 23:39:44 cowboy Exp $')
OSTYPE(`debian')dnl
DOMAIN(`debian-msp')dnl
MASQUERADE_AS(`jim.sh')dnl
FEATURE(`masquerade_envelope')dnl
FEATURE(`use_ct_file')dnl
FEATURE(`msp', `[127.0.0.1]', `MSA')dnl
include(`/etc/mail/tls/starttls.m4')dnl
include(`/etc/mail/sasl/sasl.m4')dnl
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.21-2-686 (SMP w/1 CPU core)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages sendmail depends on:
ii sendmail-base 8.14.1-9 powerful, efficient, and scalable
ii sendmail-bin 8.14.1-9 powerful, efficient, and scalable
ii sendmail-cf 8.14.1-9 powerful, efficient, and scalable
ii sensible-mda 8.14.1-9 Mail Delivery Agent wrapper
sendmail recommends no packages.
Versions of packages sensible-mda depends on:
ii libc6 2.7-5 GNU C Library: Shared libraries
ii procmail 3.22-16 Versatile e-mail processor
ii sendmail-bin [mail-transport- 8.14.1-9 powerful, efficient, and scalable
Versions of packages rmail depends on:
ii libc6 2.7-5 GNU C Library: Shared libraries
ii libldap2 2.1.30.dfsg-13.5 OpenLDAP libraries
ii sendmail-bin [mail-tran 8.14.1-9 powerful, efficient, and scalable
Versions of packages libmilter0 depends on:
ii libc6 2.7-5 GNU C Library: Shared libraries
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org