Path: ...!weretis.net!feeder9.news.weretis.net!news.quux.org!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!eternal-september.org!.POSTED!not-for-mail
From: AMM <anon.amish@gmail.com>
Newsgroups: comp.mail.sendmail
Subject: Re: OpenSSL 3.4.x supported?
Date: Wed, 8 Jan 2025 14:09:28 +0530
Organization: A noiseless patient Spider
Lines: 43
Message-ID: <vlldk0$2msmi$1@dont-email.me>
References: <vknu9u$4th9$1@dont-email.me> <vko2nb$99d$1@news.misty.com>
 <vlfspb$1g6rm$1@dont-email.me> <vlgvo9$k4g$1@news.misty.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Wed, 08 Jan 2025 09:39:29 +0100 (CET)
Injection-Info: dont-email.me; posting-host="6cc6d0214091747ad99805ca8ba099ae";
	logging-data="2847442"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX19elpMz6kSzvYfyeaVzBQSS8WrkiD1ZSc4="
User-Agent: Mozilla Thunderbird
Cancel-Lock: sha1:3829mFBV+tHYMoJ2n8hPP2TGnEE=
Content-Language: en-US
In-Reply-To: <vlgvo9$k4g$1@news.misty.com>
Bytes: 3054


On 06/01/25 9:48 pm, Claus Aßmann wrote:
> AMM  wrote:
> 
>> EOPENSSL_CONF=/etc/mail/sendmail.ossl
> 
>> In my case this file does not exist.
> 
> That's the entire idea - as the release notes entry explains:
> 
>> Note: OpenSSL 3 loads by default an openssl.cnf file from a location
>> specified in the library which may cause unwanted behaviour in sendmail.
> 
>> It is not clear what unwanted behaviour can occur if OpenSSL defaults
>> are used?
> 
> Check the OpenSSL config file / documentation, e.g., wrt
> "security level".

Thank you for your response. However, it is still not clear what 
unwanted behaviour can occur? If you can explain, then please do.

> 
>>   Didn't sendmail use OpenSSL defaults, earlier too?
> 
> sendmail never explicitly use{s,d} OpenSSL config files.
> 
>> Ideally, what setting should be mentioned in /etc/mail/sendmail.ossl?

Currently I have this in sendmail.mc file: (using from few years)

dnl # recommended from https://weakdh.org/sysadmin.html
LOCAL_CONFIG
O 
CipherList=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
O DHParameters=/etc/ssl/dhparams.pem
O ServerSSLOptions=+SSL_OP_CIPHER_SERVER_PREFERENCE

Hopefully this is what is sufficient.

Regards

AMM.