More SSL weirdness, this time with sendmail / 2015-06-20

2015-06-20 More SSL weirdness, this time with sendmail
I'm not sure it is related to the recent OpenSSL upgrades but yesterday outgoing mail was suddenly all stuck with the error message:
Jun 19 16:02:30 ritchie sendmail[6381]: STARTTLS=client: 6381:error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:3449:        
Jun 19 16:02:30 ritchie sendmail[6381]: ruleset=tls_server, arg1=SOFTWARE, relay=postbox.idefix.net, reject=403 4.7.0 TLS handshake.                            
I couldn't find a definitive reason, but I did notice these in the logs of sendmail on the home server:
Jun 19 20:59:27 greenblatt sendmail[4747]: STARTTLS=client: 4747:error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:3338:
Jun 19 23:09:24 greenblatt sm-mta[20569]: STARTTLS=server, error: cannot read DH parameters(/etc/mail/tls/sendmail-common.prm): error:0906D06C:PEM routines:PEM_read_bio:no start line
I did notice /etc/mail/tls/sendmail-common.prm was 0 bytes large on the server which could be a source of the problem. This is the Diffie-Hellman parameter file used by the submission client. I regenerated this file to a 2048 bit Diffie-Hellman dhparam file. Mail is flowing again, but I'm not sure this was the cause of the problem.

The first errors were from:
Jun 15 13:00:52 greenblatt sendmail[26472]: STARTTLS=client: 26472:error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:3338:
Jun 15 13:00:52 greenblatt sendmail[26472]: ruleset=tls_server, arg1=SOFTWARE, relay=[127.0.0.1], reject=403 4.7.0 TLS handshake.
And that was right after an openssl update. Why it took until 19 June for the mailflow to stop completely is strange to me.

Update: The only thing I can think of is that sendmail wasn't restarted after OpenSSL was updated. I checked the same update today on another system and the update of OpenSSL does not set triggers to restart ssl-using daemons.

Tags: , ,

IPv6 check

Running test...
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newsitem.cgi,v 1.57 2022/02/15 21:48:18 koos Exp $ in 0.010031 seconds.