More SSL weirdness, this time with sendmail / 2015-06-20

2015-06-20 More SSL weirdness, this time with sendmail 2 years ago
I'm not sure it is related to the recent OpenSSL upgrades but yesterday outgoing mail was suddenly all stuck with the error message:
Jun 19 16:02:30 ritchie sendmail[6381]: STARTTLS=client: 6381:error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:3449:        
Jun 19 16:02:30 ritchie sendmail[6381]: ruleset=tls_server, arg1=SOFTWARE, relay=postbox.idefix.net, reject=403 4.7.0 TLS handshake.                            
I couldn't find a definitive reason, but I did notice these in the logs of sendmail on the home server:
Jun 19 20:59:27 greenblatt sendmail[4747]: STARTTLS=client: 4747:error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:3338:
Jun 19 23:09:24 greenblatt sm-mta[20569]: STARTTLS=server, error: cannot read DH parameters(/etc/mail/tls/sendmail-common.prm): error:0906D06C:PEM routines:PEM_read_bio:no start line
I did notice /etc/mail/tls/sendmail-common.prm was 0 bytes large on the server which could be a source of the problem. This is the Diffie-Hellman parameter file used by the submission client. I regenerated this file to a 2048 bit Diffie-Hellman dhparam file. Mail is flowing again, but I'm not sure this was the cause of the problem.

The first errors were from:
Jun 15 13:00:52 greenblatt sendmail[26472]: STARTTLS=client: 26472:error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:3338:
Jun 15 13:00:52 greenblatt sendmail[26472]: ruleset=tls_server, arg1=SOFTWARE, relay=[127.0.0.1], reject=403 4.7.0 TLS handshake.
And that was right after an openssl update. Why it took until 19 June for the mailflow to stop completely is strange to me.

Update: The only thing I can think of is that sendmail wasn't restarted after OpenSSL was updated. I checked the same update today on another system and the update of OpenSSL does not set triggers to restart ssl-using daemons.

Tags: , ,

, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred.

PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers pgp key statistics for 0x5BA9368BE6F334E4 Koos van den Hout
RSS
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews, Weather maps
This page generated in 0.009095 seconds.