Assuming that the 8.16 has a better default configuration, yet I am
seeing still a few "dh key too small" errors in the logs.
Assuming that the 8.16 has a better default configuration, yet I am
seeing still a few "dh key too small" errors in the logs.
Please post a log entry: is it your system or the other side
that's complaining?
AFAIR some Linux distributions use ... "uncommon" settings
in the OpenSSL compilation -- check the archive for other
postings about this problem.
I have recently upgraded to centos9stream and removed the
Should I still force ciphers, or is there something wrong with a key of
2048?
Which sendmail version and which openssl version?
sendmail -bt -d0.14 </dev/null
[@~]# sendmail -bt -d0.14 -bt < /dev/nullVersion 8.16.1
Should I still force ciphers, or is there something wrong with a key of
2048?
No, but it depends on the versions of sendmail, the library, and
compile time options - hence the request for more info.
Moreover, check whether your cf file actually references
the generated data.
sendmail[95017]: STARTTLS=client, error: connect failed=-1, reason=dh
key too small, SSL_error=1, errno=0, retry=-1
sendmail[95017]: STARTTLS=client, error: connect failed=-1, reason=dh
key too small, SSL_error=1, errno=0, retry=-1
Do you know how to use openssl s_client to test this?
H=in.hes.trendmicro.eu
openssl s_client -connect $H -state -debug -crlf -starttls smtp
openssl s_client -connect in.hes.trendmicro.eu:25 -state -debug -crlf -starttls smtp
see also the man page for info.
This is the output, but I am not really sure how this is comparable as
the dhparams.pem file is only in the /etc/mail/ folder and sendmail is configured for this.
This is the output, but I am not really sure how this is comparable as
the dhparams.pem file is only in the /etc/mail/ folder and sendmail is
configured for this.
Because my guess is that it's a problem with the server key --
I get this from in.hes.trendmicro.eu:
Server Temp Key: DH, 1024 bits
which could be considered "too small" by some OpenSSL versions.
'key'Server Temp Key: DH, 1024 bits
How do you get this dh key? If I do this on my server I get this
[]# openssl s_client -connect xxxxxxxxxx:25 -starttls smtp | grep -i
Maybe you are using a different openssl version (or .cnf file)
or maybe the server configuration has been changed?
Does the original problem still exist?
Server Temp Key: DH, 1024 bits
How do you get this dh key? If I do this on my server I get this
[]# openssl s_client -connect xxxxxxxxxx:25 -starttls smtp | grep -i 'key'
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 300 |
Nodes: | 16 (2 / 14) |
Uptime: | 48:16:30 |
Calls: | 6,710 |
Calls today: | 3 |
Files: | 12,243 |
Messages: | 5,354,638 |
Posted today: | 1 |