Ubuntu
sendmail package

sendmail is vulnerable to "Secure Client-Initiated Renegotiation" DoS according to testssl

Bug #1591705 reported by AlainKnaff on 2016-06-12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	sendmail (Ubuntu)	New	Undecided	Unassigned

Bug Description

According to testssl sendmail is vulnerable to "Secure Client-Initiated Renegotiation" DoS according to testssl, and there seems to be no obvious way to change this using configuration:

testssl@xl:~$ ./testssl.sh -t smtp 127.0.0.1:25
...
Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat

1) testssl@xl:~$ lsb_release -rd
Description: Ubuntu 14.04.4 LTS
Release: 14.04
testssl@xl:~$ apt-cache policy sendmail
sendmail:
  Installed: 8.14.4-4.1ubuntu1
  Candidate: 8.14.4-4.1ubuntu1
  Version table:
*** 8.14.4-4.1ubuntu1 0
        500 http://be.archive.ubuntu.com/ubuntu/ trusty/universe amd64 Packages
        100 /var/lib/dpkg/status

3) What I expected to happen

Sendmail should either be resilient to this out of the box, or there should be a config option to make it so

4) What happened instead

Sendmail is vulnerable to this condition, without an obvious way to change this using configuration

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntusendmail package

sendmail is vulnerable to "Secure Client-Initiated Renegotiation" DoS according to testssl

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
sendmail package