Bug#847743: STARTTLS server fails with "ca md too weak"

To: submit@bugs.debian.org
Subject: Bug#847743: STARTTLS server fails with "ca md too weak"
From: Joerg Dorchain <joerg@dorchain.net>
Date: Sun, 11 Dec 2016 11:22:55 +0100
Message-id: <[🔎] 20161211102255.mrbfcbc64xdm2j56@Redstar.dorchain.net>
Reply-to: Joerg Dorchain <joerg@dorchain.net>, 847743@bugs.debian.org

Package: sendmail-bin
Version: 8.15.2-7

Hello,

following testing after upgrading from 8.15.2-6 to 8.15.2-7,
sendmail does not accept certain incoming connections anymore
and refuses the STARTTLS handshake with "ca md too weak".

Most reproduceable way I found by now is the DANE validator at
https://dane.sys4.de/, which leave a log entry e.g.:
Dec 11 11:04:54 Redstar sm-mta[18223]: STARTTLS=server, error: accept failed=-1, reason=ca md too weak, SSL_error=1, errno=0, retry=-1, relay=dane.sys4.de [IPv6:2001:1578:400:111:0:0:3:1]

Other affected parties include e.g. amazon.

Bye,

Joerg

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#847743: sendmail: STARTTLS server fails with "ca md too weak"
  - From: Andreas Beckmann <anbe@debian.org>

Prev by Date: Bug#822001: libcorelinux: Build arch:all+arch:any but is missing build-{arch,indep} targets
Next by Date: Bug#847743: sendmail: STARTTLS server fails with "ca md too weak"
Previous by thread: Bug#822001: libcorelinux: Build arch:all+arch:any but is missing build-{arch,indep} targets
Next by thread: Bug#847743: sendmail: STARTTLS server fails with "ca md too weak"
Index(es):
- Date
- Thread