Re: OpenSSL 3.4.x supported?

On 06/01/25 9:48 pm, Claus Aßmann wrote:

AMM  wrote:
 

EOPENSSL_CONF=/etc/mail/sendmail.ossl

 

In my case this file does not exist.

 That's the entire idea - as the release notes entry explains:
 

Note: OpenSSL 3 loads by default an openssl.cnf file from a location
specified in the library which may cause unwanted behaviour in sendmail.

 

It is not clear what unwanted behaviour can occur if OpenSSL defaults
are used?

 Check the OpenSSL config file / documentation, e.g., wrt
"security level".

Thank you for your response. However, it is still not clear what unwanted behaviour can occur? If you can explain, then please do.

 

  Didn't sendmail use OpenSSL defaults, earlier too?

 sendmail never explicitly use{s,d} OpenSSL config files.
 

Ideally, what setting should be mentioned in /etc/mail/sendmail.ossl?

Currently I have this in sendmail.mc file: (using from few years)
dnl # recommended from https://weakdh.org/sysadmin.html
LOCAL_CONFIG
O CipherList=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
O DHParameters=/etc/ssl/dhparams.pem
O ServerSSLOptions=+SSL_OP_CIPHER_SERVER_PREFERENCE
Hopefully this is what is sufficient.
Regards
AMM.