From housley@thehousleys.net  Mon Mar 12 03:42:23 2001
Return-Path: <housley@thehousleys.net>
Received: from thehousleys.net (frenchknot.ne.mediaone.net [24.147.224.201])
	by hub.freebsd.org (Postfix) with ESMTP id 0E5B637B718
	for <freebsd-gnats-submit@freebsd.org>; Mon, 12 Mar 2001 03:42:23 -0800 (PST)
	(envelope-from housley@thehousleys.net)
Received: (from root@localhost)
	by thehousleys.net (8.11.3/8.11.2) id f2CBgBn43687
	for freebsd-gnats-submit@freebsd.org; Mon, 12 Mar 2001 06:42:11 -0500 (EST)
	(envelope-from housley@baby.int.thehousleys.net)
Received: from baby.int.thehousleys.net (baby.ipv6.thehousleys.net [3ffe:1ce3:6:0:260:8ff:fea3:7fb2])
	by thehousleys.net (8.11.3/8.11.3) with ESMTP id f2CBg9g43679
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 12 Mar 2001 06:42:09 -0500 (EST)
	(envelope-from housley@baby.int.thehousleys.net)
Received: (from housley@localhost)
	by baby.int.thehousleys.net (8.11.3/8.11.3) id f2CBg9D00715;
	Mon, 12 Mar 2001 06:42:09 -0500 (EST)
	(envelope-from housley)
Message-Id: <200103121142.f2CBg9D00715@baby.int.thehousleys.net>
Date: Mon, 12 Mar 2001 06:42:09 -0500 (EST)
From: "James E. Housley" <housley@thehousleys.net>
Reply-To: housley@thehousleys.net
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: STARTTLS is enabled by default, but it needs a certificate
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         25734
>Category:       conf
>Synopsis:       STARTTLS is enabled by default, but it needs a certificate
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    gshapiro
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Mar 12 03:50:01 PST 2001
>Closed-Date:    Tue Mar 13 13:08:18 PST 2001
>Last-Modified:  Tue Mar 13 13:09:01 PST 2001
>Originator:     James E. Housley
>Release:        FreeBSD 4.3-BETA i386
>Organization:
The Housleys dot Net
>Environment:
System: FreeBSD baby.int.thehousleys.net 4.3-BETA FreeBSD 4.3-BETA #5: Sat Mar 10 12:32:28 EST 2001 root@cat.int.thehousleys.net:/mnt3/obj/usr/src/sys/BABYKERNEL i386


	
>Description:
	
	When adding SASL support to sendmail for SMTP AUTH; STARTTLS 
	becomes active, with the current configuration.  STARTTLS needs
	either an openSSL generated certificate or one from an issuing
	authority.  The first causes warning about unknow issuer and the
	second cost more then an average user has to spend.

	However, STARTTLS is not needed for SMTP AUTH to operate.  And
	the attached patch fixes this.

>How-To-Repeat:
	
>Fix:

Index: usr.sbin/sendmail/Makefile
===================================================================
RCS file: /usr/home/FREEBSD_CVS/src/usr.sbin/sendmail/Makefile,v
retrieving revision 1.15.2.10
diff -u -r1.15.2.10 Makefile
--- usr.sbin/sendmail/Makefile	2001/03/06 01:56:47	1.15.2.10
+++ usr.sbin/sendmail/Makefile	2001/03/12 11:25:47
@@ -50,7 +50,6 @@
 	!defined(NO_OPENSSL) && !defined(RELEASE_CRUNCH)
 # STARTTLS support
 DISTRIBUTION=	crypto
-CFLAGS+=	-DSTARTTLS -D_FFR_TLS_O_T -D_FFR_TLS_1 -D_FFR_TLS_TOREK
 LDADD+=		-lssl -lcrypto
 DPADD+=		${LIBSSL} ${LIBCRYPTO}
 .endif
Index: etc/defaults/make.conf
===================================================================
RCS file: /usr/home/FREEBSD_CVS/src/etc/defaults/make.conf,v
retrieving revision 1.97.2.43
diff -u -r1.97.2.43 make.conf
--- etc/defaults/make.conf	2001/03/10 03:34:21	1.97.2.43
+++ etc/defaults/make.conf	2001/03/12 11:29:17
@@ -355,6 +355,12 @@
 #	SENDMAIL_LDFLAGS=-L/usr/local/lib
 #	SENDMAIL_LDADD=-lsasl
 #
+# With SASL support you can enable STARTTLS with the following flags:
+#
+#	SENDMAIL_CFLAGS+=-DSTARTTLS -D_FFR_TLS_O_T -D_FFR_TLS_1 -D_FFR_TLS_TOREK
+#
+# Note: STARTTLS needs a SSL certificate to function.
+#
 # Note: If you are using Cyrus SASL with other applications which require
 #	access to the sasldb file, you should add '-D_FFR_UNSAFE_SASL' to
 #	SENDMAIL_CFLAGS.  Also, add the following to your sendmail.mc file:

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->gshapiro 
Responsible-Changed-By: jeh 
Responsible-Changed-When: Mon Mar 12 03:51:11 PST 2001 
Responsible-Changed-Why:  
Over to sendmail maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=25734 

From: "James E. Housley" <jeh@FreeBSD.org>
To: freebsd-gnats-submit@FreeBSD.org, housley@thehousleys.net
Cc:  
Subject: Re: conf/25734: STARTTLS is enabled by default, but it needs a 
 certificate
Date: Mon, 12 Mar 2001 08:23:42 -0500

 This is a multi-part message in MIME format.
 --------------0C4BD608CCFAB02EBE59BFBE
 Content-Type: text/plain; charset=us-ascii
 Content-Transfer-Encoding: 7bit
 
 I would also change the comment to be more accurate.
 
 Jim
 
 -- 
 /"\   ASCII Ribbon Campaign  .
 \ / - NO HTML/RTF in e-mail  .
  X  - NO Word docs in e-mail .
 / \ -----------------------------------------------------------------
 jeh@FreeBSD.org      http://www.FreeBSD.org     The Power to Serve
 jim@TheHousleys.Net  http://www.TheHousleys.net
 ---------------------------------------------------------------------
 Life begins at 4.0
 --------------0C4BD608CCFAB02EBE59BFBE
 Content-Type: text/plain; charset=us-ascii;
  name="diff.txt"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline;
  filename="diff.txt"
 
 Index: Makefile
 ===================================================================
 RCS file: /usr/home/FREEBSD_CVS/src/usr.sbin/sendmail/Makefile,v
 retrieving revision 1.15.2.10
 diff -u -r1.15.2.10 Makefile
 --- Makefile	2001/03/06 01:56:47	1.15.2.10
 +++ Makefile	2001/03/12 13:21:28
 @@ -48,9 +48,8 @@
  
  .if exists(../../../secure) && !defined(NOCRYPT) && !defined(NOSECURE) && \
  	!defined(NO_OPENSSL) && !defined(RELEASE_CRUNCH)
 -# STARTTLS support
 +# crypto: needed for STARTTLS or SMTP AUTH via SASL
  DISTRIBUTION=	crypto
 -CFLAGS+=	-DSTARTTLS -D_FFR_TLS_O_T -D_FFR_TLS_1 -D_FFR_TLS_TOREK
  LDADD+=		-lssl -lcrypto
  DPADD+=		${LIBSSL} ${LIBCRYPTO}
  .endif
 
 --------------0C4BD608CCFAB02EBE59BFBE--
 
State-Changed-From-To: open->closed 
State-Changed-By: gshapiro 
State-Changed-When: Tue Mar 13 13:08:18 PST 2001 
State-Changed-Why:  
Submitter misunderstood relationship between STARTTLS and SASL (SMTP AUTH). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=25734 
>Unformatted:
