sendmail is vulnerable to "Secure Client-Initiated Renegotiation" DoS according to testssl
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sendmail (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
According to testssl sendmail is vulnerable to "Secure Client-Initiated Renegotiation" DoS according to testssl, and there seems to be no obvious way to change this using configuration:
testssl@xl:~$ ./testssl.sh -t smtp 127.0.0.1:25
...
Secure Client-Initiated Renegotiation VULNERABLE (NOT ok), DoS threat
1) testssl@xl:~$ lsb_release -rd
Description: Ubuntu 14.04.4 LTS
Release: 14.04
testssl@xl:~$ apt-cache policy sendmail
sendmail:
Installed: 8.14.4-4.1ubuntu1
Candidate: 8.14.4-4.1ubuntu1
Version table:
*** 8.14.4-4.1ubuntu1 0
500 http://
100 /var/lib/
3) What I expected to happen
Sendmail should either be resilient to this out of the box, or there should be a config option to make it so
4) What happened instead
Sendmail is vulnerable to this condition, without an obvious way to change this using configuration