Bug#847743: sendmail: STARTTLS server fails with "ca md too weak"

To: Joerg Dorchain <joerg@dorchain.net>, 847743@bugs.debian.org, Kurt Roeckx <kurt@roeckx.be>
Subject: Bug#847743: sendmail: STARTTLS server fails with "ca md too weak"
From: Andreas Beckmann <anbe@debian.org>
Date: Sun, 11 Dec 2016 12:11:02 +0100
Message-id: <[🔎] a3ac7459-6f1e-bf88-ea45-86af979ffd86@debian.org>
Reply-to: Andreas Beckmann <anbe@debian.org>, 847743@bugs.debian.org
In-reply-to: <[🔎] 20161211102255.mrbfcbc64xdm2j56@Redstar.dorchain.net>
References: <[🔎] 20161211102255.mrbfcbc64xdm2j56@Redstar.dorchain.net>

On 2016-12-11 11:22, Joerg Dorchain wrote:
> following testing after upgrading from 8.15.2-6 to 8.15.2-7,
> sendmail does not accept certain incoming connections anymore
> and refuses the STARTTLS handshake with "ca md too weak".

That is probably because the -7 package got built against openssl 1.1
while -6 was still at openssl 1.0.

Cc:ing Kurt (the openssl maintainer), maybe he has some hints.

> Most reproduceable way I found by now is the DANE validator at
> https://dane.sys4.de/, which leave a log entry e.g.:
> Dec 11 11:04:54 Redstar sm-mta[18223]: STARTTLS=server, error: accept failed=-1, reason=ca md too weak, SSL_error=1, errno=0, retry=-1, relay=dane.sys4.de [IPv6:2001:1578:400:111:0:0:3:1]
> 
> Other affected parties include e.g. amazon.


Andreas

Reply to:

Follow-Ups:
- Bug#847743: sendmail: STARTTLS server fails with "ca md too weak"
  - From: Kurt Roeckx <kurt@roeckx.be>

References:
- Bug#847743: STARTTLS server fails with "ca md too weak"
  - From: Joerg Dorchain <joerg@dorchain.net>

Prev by Date: Bug#847743: STARTTLS server fails with "ca md too weak"
Next by Date: Bug#847747: latest version breaks polkitd
Previous by thread: Bug#847743: STARTTLS server fails with "ca md too weak"
Next by thread: Bug#847743: sendmail: STARTTLS server fails with "ca md too weak"
Index(es):
- Date
- Thread