Bug#847743: sendmail: STARTTLS server fails with "ca md too weak"

[Kurt Roeckx <kurt@roeckx.be>]

On Sun, Dec 11, 2016 at 12:11:02PM +0100, Andreas Beckmann wrote:
> On 2016-12-11 11:22, Joerg Dorchain wrote:
> > following testing after upgrading from 8.15.2-6 to 8.15.2-7,
> > sendmail does not accept certain incoming connections anymore
> > and refuses the STARTTLS handshake with "ca md too weak".
> 
> That is probably because the -7 package got built against openssl 1.1
> while -6 was still at openssl 1.0.
> 
> Cc:ing Kurt (the openssl maintainer), maybe he has some hints.
> 
> > Most reproduceable way I found by now is the DANE validator at
> > https://dane.sys4.de/, which leave a log entry e.g.:
> > Dec 11 11:04:54 Redstar sm-mta[18223]: STARTTLS=server, error: accept failed=-1, reason=ca md too weak, SSL_error=1, errno=0, retry=-1, relay=dane.sys4.de [IPv6:2001:1578:400:111:0:0:3:1]
> > 
> > Other affected parties include e.g. amazon.

With SMTP you really have no security unless you're using DANE.
The defaults openssl sets now might not make sense for smtp in
general, but they should actually be good.

Note that that check is only in case of a CA certificate. So a
CA is in use, and they really should use a proper signature
algorithm in that case.

I think that the CA is on your end. If it's the same as on your
website, the intermedia "CAcert Class 3 Root" is with MD5, while
the end certificate is with SHA512. I suggest you replace the CA
certs with newer ones. CAcert will probably have newer ones.

It seems the smtp servers don't want to talk to me, so I couldn't
check that.


Kurt