Bug 172352 (CVE-2006-7175) - Sendmail allows SSLv2 during STARTTLS, and the CipherList config option isn't supported so you can't turn it off
Summary: Sendmail allows SSLv2 during STARTTLS, and the CipherList config option isn't...
Alias: CVE-2006-7175
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: sendmail   
(Show other bugs)
Version: 4.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Thomas Woerner
QA Contact: David Lawrence
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2005-11-03 07:15 UTC by Dave Miller
Modified: 2010-01-08 08:49 UTC (History)
1 user (show)

Fixed In Version: RHSA-2007-0252
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-05-01 17:12:21 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:0252 normal SHIPPED_LIVE Low: sendmail security and bug fix update 2007-05-01 17:11:07 UTC

Description Dave Miller 2005-11-03 07:15:53 UTC
Description of problem:
SSLv2 is not considered secure anymore.  Sendmail by default enables all ciphers
supported by openssl.  In order to disable SSLv2, you need to use the CipherList
directive in the LOCAL_CONFIG section of the sendmail.mc file. 
(http://sial.org/howto/sendmail/cipherlist/)  However, the sendmail shipped with
RHEL4 does not support this directive.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Add "O CipherList=<list of ciphers>" to your LOCAL_CONFIG section of sendmail.mc
3.service sendmail restart
Actual results:
Starting sendmail: 554 5.0.0 /etc/mail/sendmail.cf: line 169: readcf: unknown
option name CipherList

Expected results:
Sendmail starts and restricts SSLv2 usage

Ideally, RedHat would ship with this already enabled and configured to restrict

Additional info:
I successfully recompiled the SRPM to enable this option with the following patch:

--- sendmail.spec.orig  Wed Nov  2 23:11:03 2005
+++ sendmail.spec       Wed Nov  2 22:56:45 2005
@@ -140,7 +140,7 @@
 cat > redhat.config.m4 << EOF
 define(\`confOPTIMIZE', \`${RPM_OPT_FLAGS}')
-define(\`confENVDEF', \`-I/usr/include/db3 -I/usr/kerberos/include -Wall
+define(\`confENVDEF', \`-I/usr/include/db3 -I/usr/kerberos/include -Wall
 define(\`confLIBDIRS', \`-L/usr/kerberos/%{_lib}')
 define(\`confLIBS', \`-lnsl -lwrap -lhesiod -lcrypt -ldb')
 define(\`confMANOWN', \`root')

(beware of line wrapping in Bugzilla -- the important part is adding the
-D_FFR_TLS_1 to the end of confENVDEF)

Comment 1 RHEL Product and Program Management 2006-08-18 17:06:38 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update

Comment 6 Mark J. Cox 2007-04-27 10:59:11 UTC
Whilst we're going to add support for CipherList in the upcoming update,
Sendmail classes the CipherList directive as "for future release"; currently
unsupported and undocumented. Therefore the lack of support for the CipherList
directive in various Red Hat products is not a vulnerability.  We've disputed

Comment 7 Red Hat Bugzilla 2007-05-01 17:12:21 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Comment 8 Dave Miller 2007-05-09 22:53:35 UTC
I would say this *is* a vulnerability, not so much that CipherList isn't
supported, but that SSLv1 *is* supported without it.

Comment 9 Dave Miller 2007-05-09 22:54:29 UTC
er, I meant SSLv2, but you know what I meant. :)

Note You need to log in before you can comment on or make changes to this bug.