BlueOnyx updates: base-email

Posted by: mstauber Category: General

Updated base-email RPMS have been released for all BlueOnyx versions. These deal with certain OpenSSL related problems.

Since the last OpenSSL updates Sendmail has been misbehaving on all BlueOnyx versions. Especially on older EL5 and EL6 based BlueOnyx versions.

The nature of the problem was as follows: The older Sendmail versions on EL5 (especially there) allow TLS/SSL connections with Diffie-Hellman parameters less than 768 bits. After the latest OpenSSL update the minimum allowed DH bits was cranked up a bit and ended up higher than the default values in Sendmail.

As a result Sendmail would accept TLS/SSL connections with insufficient DH bits during the negotiaton stage. But OpenSSL would then throw an error because it saw insufficient bits were used.

To fix this all BlueOnyx versions now generate their own server specific 2048 bit Diffie-Hellman parameter file. Additionally the (and will get updated to force usage of that 2048 bit DH parameter file.

Additionally weak protocols (such as SSLv2 and SSLv3) and weak ciphers have been disabled. That part might require some further work in subsequent updates of base-email.

Please note: You might have to restart CCEd ("/sbin/service cced.init restart") for the changes to kick in.

Jun 12, 2015 Category: General Posted by: mstauber
Previous page: Development Next page: Mailing List