[OSX-Users] Re: Warning: El Capitan Beta 3 release note for Apple Mail.app

Julian Field Jules at ecs.soton.ac.uk
Wed Jul 8 20:13:29 BST 2015 

It's not just a workaround.

I've updated sendmail and openssl to latest available versions, and 
totally reconfigured the list of ciphers that sendmail will let people 
use, so there's no chance clients will try to connect with an old (now 
useless) cipher which then fails because the SSL libraries both ends 
won't allow it. So goodnight to all the "export grade" cipher suites.
We now also have a unique 2048-bit Diffie-Hellman group, which makes it 
*far* harder to crack the session. The old one was only 512 bits, which 
is no longer enough.

If you want to know the gory details, here's the lines from sendmail.cf:

O 
CipherList=ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
O DHParameters=/usr/share/ssl/certs/dhparams.pem

where the dhparams.pem file was created with
     openssl dhparam -out dhparams.pem 2048

I think that's enough for today.

If anyone still can't connect in the morning, holler.

Cheers,
Jules.


On 08/07/2015 20:04, Nick Gibbins wrote:
> The workaround is working (as you can see), but it's a little frustrating when Apple manage to break things :/
>
>

Jules

-- 
Jules Field MEng MBCS CITP CEng
email+iMessage: Jules at ecs.soton.ac.uk
Twitter: @JulesFM

Senior Tutor, Postmaster
Electronics and Computer Science
University of Southampton SO17 1BJ, UK

'We face neither East nor West: we face forward.' - Kwame Nkrumah

More information about the Osx-users mailing list