Bug 172352 - (CVE-2006-7175) Sendmail allows SSLv2 during STARTTLS, and the CipherList config option isn't supported so you can't turn it off
Sendmail allows SSLv2 during STARTTLS, and the CipherList config option isn't...
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: sendmail (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Woerner
David Lawrence
: Security
Depends On:
  Show dependency treegraph
Reported: 2005-11-03 02:15 EST by Dave Miller
Modified: 2010-01-08 03:49 EST (History)
1 user (show)

See Also:
Fixed In Version: RHSA-2007-0252
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-05-01 13:12:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Dave Miller 2005-11-03 02:15:53 EST
Description of problem:
SSLv2 is not considered secure anymore.  Sendmail by default enables all ciphers
supported by openssl.  In order to disable SSLv2, you need to use the CipherList
directive in the LOCAL_CONFIG section of the sendmail.mc file. 
(http://sial.org/howto/sendmail/cipherlist/)  However, the sendmail shipped with
RHEL4 does not support this directive.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Add "O CipherList=<list of ciphers>" to your LOCAL_CONFIG section of sendmail.mc
3.service sendmail restart
Actual results:
Starting sendmail: 554 5.0.0 /etc/mail/sendmail.cf: line 169: readcf: unknown
option name CipherList

Expected results:
Sendmail starts and restricts SSLv2 usage

Ideally, RedHat would ship with this already enabled and configured to restrict

Additional info:
I successfully recompiled the SRPM to enable this option with the following patch:

--- sendmail.spec.orig  Wed Nov  2 23:11:03 2005
+++ sendmail.spec       Wed Nov  2 22:56:45 2005
@@ -140,7 +140,7 @@
 cat > redhat.config.m4 << EOF
 define(\`confOPTIMIZE', \`${RPM_OPT_FLAGS}')
-define(\`confENVDEF', \`-I/usr/include/db3 -I/usr/kerberos/include -Wall
+define(\`confENVDEF', \`-I/usr/include/db3 -I/usr/kerberos/include -Wall
 define(\`confLIBDIRS', \`-L/usr/kerberos/%{_lib}')
 define(\`confLIBS', \`-lnsl -lwrap -lhesiod -lcrypt -ldb')
 define(\`confMANOWN', \`root')

(beware of line wrapping in Bugzilla -- the important part is adding the
-D_FFR_TLS_1 to the end of confENVDEF)
Comment 1 RHEL Product and Program Management 2006-08-18 13:06:38 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
Comment 6 Mark J. Cox (Product Security) 2007-04-27 06:59:11 EDT
Whilst we're going to add support for CipherList in the upcoming update,
Sendmail classes the CipherList directive as "for future release"; currently
unsupported and undocumented. Therefore the lack of support for the CipherList
directive in various Red Hat products is not a vulnerability.  We've disputed
Comment 7 Red Hat Bugzilla 2007-05-01 13:12:21 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

Comment 8 Dave Miller 2007-05-09 18:53:35 EDT
I would say this *is* a vulnerability, not so much that CipherList isn't
supported, but that SSLv1 *is* supported without it.
Comment 9 Dave Miller 2007-05-09 18:54:29 EDT
er, I meant SSLv2, but you know what I meant. :)

Note You need to log in before you can comment on or make changes to this bug.