info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
How to enable TLSv1.2 on sendmail?
5,804 views
Skip to first unread message
Luis Clemente
Feb 2, 2016, 3:40:09 PM2/2/16
to
Hello guys,
Few months ago I enabled TLSv1 only on Sendmail setting up the line -D_FFR_TLS_1 on site.config.m4 file and recompiled sendmail. Now there is a need to enable only TLSv1.2 and I am wondering if there is another option of -D_FFR_TLS_1 like -D_FFR_TLS_1_2 or something like this.
Thanks and Regard's
Luis
Few months ago I enabled TLSv1 only on Sendmail setting up the line -D_FFR_TLS_1 on site.config.m4 file and recompiled sendmail. Now there is a need to enable only TLSv1.2 and I am wondering if there is another option of -D_FFR_TLS_1 like -D_FFR_TLS_1_2 or something like this.
Thanks and Regard's
Luis
Claus Aßmann
Feb 2, 2016, 8:55:17 PM2/2/16
to
Luis Clemente wrote:
> Few months ago I enabled TLSv1 only on Sendmail setting up
> the line -D_FFR_TLS_1 on site.config.m4 file and recompiled
Why do you think that _FFR_TLS_1 has anything to do with TLSv1? It
> Few months ago I enabled TLSv1 only on Sendmail setting up
> the line -D_FFR_TLS_1 on site.config.m4 file and recompiled
sems you are using a fairly old sendmail version, I found this back
in 8.14:
#if _FFR_TLS_1
/* More STARTTLS options, e.g., secondary certs. */
> sendmail. Now there is a need to enable only TLSv1.2 and I
> am wondering if there is another option of -D_FFR_TLS_1 like
> -D_FFR_TLS_1_2 or something like this.
OpenSSL version you are using for sendmail.
--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.
J.O. Aho
Feb 3, 2016, 1:02:05 AM2/3/16
to
On 02/03/2016 02:45 AM, Claus Aßmann wrote:
> Luis Clemente wrote:
>
>> Few months ago I enabled TLSv1 only on Sendmail setting up
>> the line -D_FFR_TLS_1 on site.config.m4 file and recompiled
>
> Why do you think that _FFR_TLS_1 has anything to do with TLSv1? It
> sems you are using a fairly old sendmail version, I found this back
> in 8.14:
> #if _FFR_TLS_1
> /* More STARTTLS options, e.g., secondary certs. */
>
>> sendmail. Now there is a need to enable only TLSv1.2 and I
>> am wondering if there is another option of -D_FFR_TLS_1 like
>> -D_FFR_TLS_1_2 or something like this.
>
> The TLS version that can be used are entirely dependent on the
> OpenSSL version you are using for sendmail.
For OpenSSL you need version 1.0.0 or better for TLS 1.1 or better.
> Luis Clemente wrote:
>
>> Few months ago I enabled TLSv1 only on Sendmail setting up
>> the line -D_FFR_TLS_1 on site.config.m4 file and recompiled
>
> Why do you think that _FFR_TLS_1 has anything to do with TLSv1? It
> sems you are using a fairly old sendmail version, I found this back
> in 8.14:
> #if _FFR_TLS_1
> /* More STARTTLS options, e.g., secondary certs. */
>
>> sendmail. Now there is a need to enable only TLSv1.2 and I
>> am wondering if there is another option of -D_FFR_TLS_1 like
>> -D_FFR_TLS_1_2 or something like this.
>
> The TLS version that can be used are entirely dependent on the
> OpenSSL version you are using for sendmail.
There are some still maintained Linux distributions which still only has
0.9.8 version of OpenSSL like RedHat Enterprise Linux 5.
--
//Aho
Luis Clemente
Feb 4, 2016, 11:16:19 AM2/4/16
to
- OS AIX 7.1;
- Sendmail 8.14.8;
- OpenSSL 1.0.1e 11 Feb 2013;
Its been so long when I compiled with -D_FFR_TLS_1 but the issue on that time was regarding disable SSLv3 and keep only TLSv1. I am almost sure, not 100% that it was the reason I used -D_FFR_TLS_1.
Luis Clemente
Feb 4, 2016, 11:21:20 AM2/4/16
to
$ openssl s_client -starttls smtp -crlf -tls1_2 -connect localhost:25
CONNECTED(00000004)
804401144:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:340:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 335 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1454602628
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Regard's
Luis Clemente
Feb 5, 2016, 5:06:27 AM2/5/16
to
We have another sendmail server running with version 8.15.1 and after test we could see that TLSv1.2 is working fine, as you pointed a version update mayn resolve this issue. Thank you very much!!
Regard's
Luis
Luis Clemente
Feb 5, 2016, 5:08:03 AM2/5/16
to
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Session-ID: 5E8426ACFE1D2D215723B8DE4633A061179A23A8E1473745FE59C9062A55BE52
Session-ID-ctx:
Master-Key: D240129EA269C40C35A632BF70344044492D072C1028F2A8C871299A92091D58E510FAB7B4DE0517804E53AEFECEC043
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 1 (seconds)
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
0060 - f6 68 86 6e 5c 2f ae 80-8f dd 82 b9 00 35 2e 5e .h.n\/.......5.^
0070 - e6 52 c1 94 d3 ec 12 ea-cc 46 eb 88 09 7a 79 d8 .R.......F...zy.
0080 - 3b b9 cf 64 ab b4 c1 b8-b0 54 b6 ce 5f 60 05 e8 ;..d.....T.._`..
0090 - 4a 1c f7 e0 07 57 30 ef-1d 00 32 63 9f 66 ae 3b J....W0...2c.f.;
Start Time: 1454666622
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
prasanth reddy
Jul 24, 2023, 6:55:02 AM7/24/23
to
0 new messages