Bug#847743: sendmail: STARTTLS server fails with "ca md too weak"
On 2016-12-11 11:22, Joerg Dorchain wrote:
> following testing after upgrading from 8.15.2-6 to 8.15.2-7,
> sendmail does not accept certain incoming connections anymore
> and refuses the STARTTLS handshake with "ca md too weak".
That is probably because the -7 package got built against openssl 1.1
while -6 was still at openssl 1.0.
Cc:ing Kurt (the openssl maintainer), maybe he has some hints.
> Most reproduceable way I found by now is the DANE validator at
> https://dane.sys4.de/, which leave a log entry e.g.:
> Dec 11 11:04:54 Redstar sm-mta[18223]: STARTTLS=server, error: accept failed=-1, reason=ca md too weak, SSL_error=1, errno=0, retry=-1, relay=dane.sys4.de [IPv6:2001:1578:400:111:0:0:3:1]
>
> Other affected parties include e.g. amazon.
Andreas
Reply to: