Hello,

Recently I switched to OpenSSL 3.2 which now defaults to security level 2 by default. Which means that it now requires DH key to be atleast 2048 bit long.

For details see:
https://www.openssl.org/docs/man3.2/man3/SSL_CTX_set_security_level.html

Due to this when sendmail sends email to (now broken) server, which still uses 1024 bit DH keys, then email fails with "DH key too small" SSL error.

SMTP reply comes as "454 4.7.0 TLS handshake failed."

Example server: mail.rediffmailpro.com

Is there a way I can ask sendmail to downgrade security level to 1, for that particular server? (say via clt_features?)

Currently I fixed the problem by disabling TLS for that server:
Try_TLS:mail.rediffmailpro.com NO

But I do not want to disable TLS completely. I just want it to switch to security level 1.

Any idea?

Thanks and regards

AMM

AMM wrote:

> Recently I switched to OpenSSL 3.2 which now defaults to security level
> 2 by default. Which means that it now requires DH key to be atleast 2048
> bit long.

BTW: so no DANE support enabled for sendmail?

> Due to this when sendmail sends email to (now broken) server, which
> still uses 1024 bit DH keys, then email fails with "DH key too small"
> SSL error.

Did you try to disable ciphersuites which use DH?

> But I do not want to disable TLS completely. I just want it to switch to
> security level 1.

Can you override it via the OpenSSL config file?
As documented:

Note: OpenSSL 3 loads by default an openssl.cnf file from a location
specified in the library which may cause unwanted behaviour in
sendmail. Hence sendmail sets the environment variable OPENSSL_CONF
to /etc/mail/sendmail.ossl to override the default. The file name
can be changed by defining confOPENSSL_CNF in the mc file; using
an empty value prevents setting OPENSSL_CONF. Note: referring to
a file which does not exist does not cause an an error.

--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.

Hello

Thank you for prompt reply.

On 03/01/24 11:47, Claus Aßmann wrote:
> AMM wrote:
>
>> Recently I switched to OpenSSL 3.2 which now defaults to security level
>> 2 by default. Which means that it now requires DH key to be atleast 2048
>> bit long.
>
> BTW: so no DANE support enabled for sendmail?

I can see -DDANE mentioned in site.config.m4 but I have no clue what it
does.

>> Due to this when sendmail sends email to (now broken) server, which
>> still uses 1024 bit DH keys, then email fails with "DH key too small"
>> SSL error.
>
> Did you try to disable ciphersuites which use DH?

No but I dont intend to do this for all domains but just for certain
domains.

>> But I do not want to disable TLS completely. I just want it to switch to
>> security level 1.
>
> Can you override it via the OpenSSL config file?
> As documented:
>
> Note: OpenSSL 3 loads by default an openssl.cnf file from a location
> specified in the library which may cause unwanted behaviour in
> sendmail. Hence sendmail sets the environment variable OPENSSL_CONF
> to /etc/mail/sendmail.ossl to override the default. The file name
> can be changed by defining confOPENSSL_CNF in the mc file; using
> an empty value prevents setting OPENSSL_CONF. Note: referring to
> a file which does not exist does not cause an an error.

Again this will switch security level to 1 for all emails instead of
only for certain domains.

It would be nice if this feature can be implemented in clt_features,
where it will use security level 1 for certain domains.

Thank you.

AMM

AMM wrote:

> >> Recently I switched to OpenSSL 3.2 which now defaults to security level

> I can see -DDANE mentioned in site.config.m4 but I have no clue what it

Look for DANE in the fine documentation...
Do you use OpenSSL 3.2.0 and sendmail 8.18?
The former has a bug in its DANE code.

> It would be nice if this feature can be implemented in clt_features,
> where it will use security level 1 for certain domains.

That's not possible - sendmail does not support those openssl
"security level"s.

Do you actually gain anything by using "security level 2"
then using STARTTLS in an MTA?
Just because the OpenSSL people thought it would be a cool
feature doesn't mean it's useful for SMTP (AFAIR postfix
disables that stuff too).

--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.

On 03/01/24 16:04, Claus Aßmann wrote:
> AMM wrote:
>
>>>> Recently I switched to OpenSSL 3.2 which now defaults to security level
>
>> I can see -DDANE mentioned in site.config.m4 but I have no clue what it
>
> Look for DANE in the fine documentation...
> Do you use OpenSSL 3.2.0 and sendmail 8.18?
> The former has a bug in its DANE code.

Can it create an issue if I dont use DANE? But have -DDANE specified
site.config.m4 when compiling sendmail.

I use OpenSSL 3.2.0 and sendmail 8.17.2 - via Arch Linux repository.

>> It would be nice if this feature can be implemented in clt_features,
>> where it will use security level 1 for certain domains.
>
> That's not possible - sendmail does not support those openssl
> "security level"s.

Then I think it should. Because if you dont use any security level then
default security level is used anyway. (1 for OpenSSL < 3.2.0 and 2 for
OpenSSL >= 3.2.0)

https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html

Sooner or later when people start moving to OpenSSL 3.2.0 there will be
a case that certain X servers will be using OpenSSL >= 3.2.0 and certain
Y servers will be using OpenSSL < 3.2.0 and they wont be able to connect
to each other.

So sendmail will need to provide an option to either decrease security
level to 1 globally OR provide that option in srv/clt_features.

> Do you actually gain anything by using "security level 2"
> then using STARTTLS in an MTA?
> Just because the OpenSSL people thought it would be a cool
> feature doesn't mean it's useful for SMTP (AFAIR postfix
> disables that stuff too).

It does use STARTTLS. Error occurs after STARTTLS.

As per OpenSSL Security Level 1 is now not so secure.

If you Google "Is DH 1024 safe", you will see that most experts mention
it as weak. That is the reason OpenSSL is moving to Security level 2.

If you can guide me then I can create a patch where it downgrades
security level to 1. (for now)

Thank you and regards

AMM.

OK I resolved this by adding this in CipherList in sendmail.cf/.mc.

O CipherList=...:@SECLEVEL=1

This asks OpenSSL to use Security Level as 1 instead of default 2.

If you do not want to do it globally but only for broken server then see
FEATURE(tls_clt_features). I have not tested this but it can be starting
point.

Hope it helps others who have same issue of "DH key too small" when
sending email to some servers.

This way you do not need to disable STARTTLS for that server but still
support servers which still use 1028bit DH key.

Regards,

AMM

On 04/01/24 08:25, AMM wrote:
>
>
> On 03/01/24 16:04, Claus Aßmann wrote:
>> AMM  wrote:
>>
>>>>> Recently I switched to OpenSSL 3.2 which now defaults to security
>>>>> level
>>
>>> I can see -DDANE mentioned in site.config.m4 but I have no clue what it
>>
>> Look for DANE in the fine documentation...
>> Do you use OpenSSL 3.2.0 and sendmail 8.18?
>> The former has a bug in its DANE code.
>
> Can it create an issue if I dont use DANE? But have -DDANE specified
> site.config.m4 when compiling sendmail.
>
> I use OpenSSL 3.2.0 and sendmail 8.17.2 - via Arch Linux repository.
>
>>> It would be nice if this feature can be implemented in clt_features,
>>> where it will use security level 1 for certain domains.
>>
>> That's not possible - sendmail does not support those openssl
>> "security level"s.
>
> Then I think it should. Because if you dont use any security level then
> default security level is used anyway. (1 for OpenSSL < 3.2.0 and 2 for
> OpenSSL >= 3.2.0)
>
> https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html
>
> Sooner or later when people start moving to OpenSSL 3.2.0 there will be
> a case that certain X servers will be using OpenSSL >= 3.2.0 and certain
> Y servers will be using OpenSSL < 3.2.0 and they wont be able to connect
> to each other.
>
> So sendmail will need to provide an option to either decrease security
> level to 1 globally OR provide that option in srv/clt_features.
>
>> Do you actually gain anything by using "security level 2"
>> then using STARTTLS in an MTA?
>> Just because the OpenSSL people thought it would be a cool
>> feature doesn't mean it's useful for SMTP (AFAIR postfix
>> disables that stuff too).
>
> It does use STARTTLS. Error occurs after STARTTLS.
>
> As per OpenSSL Security Level 1 is now not so secure.
>
> If you Google "Is DH 1024 safe", you will see that most experts mention
> it as weak. That is the reason OpenSSL is moving to Security level 2.
>
> If you can guide me then I can create a patch where it downgrades
> security level to 1. (for now)
>
> Thank you and regards
>
> AMM.