[openssl-users] sendmail, openssl 1.1.1, tls1.3

Carl Byington carl at five-ten-sg.com
Mon Oct 15 23:49:39 UTC 2018


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


> Perhaps Sendmail is setting the CA names the client side, and then
> OpenSSL is trying to serialize the names of all your CAs to the
> server.  This is a bad idea.  Don't do that.  Try using CApath, and
> no or an explicitly empty CAfile, and see if that helps.

Do you mean CACertFile and CACertPath? Redhat/Centos stock
sendmail.mc/cf uses:

O CACertFile=/etc/pki/tls/certs/ca-bundle.crt
O CACertPath=/etc/pki/tls/certs

pointing the CACertFile to 750KB file with 149 certificates. That just
seems wrong, but perhaps there is some reason for it. If CACertFile is
not specified, sendmail won't advertise STARTTLS. So we need to give it
something there, and the docs imply that it should at least contain the
certificate of the CA that signed the sendmail certificate. I have a
private CA that signed my sendmail certificate, so using:

O CACertFile=/etc/pki/tls/certs/my-ca-certificate.pem
O CACertPath=/etc/pki/tls/certs
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
+SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

on both the client and server sendmail machines, we get TLSv1.3 !

Perhaps some certificate in the stock ca-bundle.crt is malformed?


> No something else.  A pointer to source code of the Sendmail in
> question may be helpful.

http://www.five-ten-sg.com/mapper/blog/DANE

ftp://ftp.sendmail.org/pub/sendmail/snapshots/sendmail.8.16.0.29.tar.gz

http://www.five-ten-sg.com/util/sendmail-8.16.0-dane.patch




> Do you see any calls to SSL_CTX_set0_CA_list()?

No, but there is a call to  SSL_CTX_set_client_CA_list(*ctx,
SSL_load_client_CA_file(cacertfile)) which would read that ca-bundle.crt
file.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlvFJ38ACgkQL6j7milTFsH3wwCeNh0ZAOIRq4kG/Nh5gCeZaAvK
MPUAn0a7NaSk5edTMGcLa0SHpskOxTYW
=Yi1x
-----END PGP SIGNATURE-----




More information about the openssl-users mailing list