kb.hurricane-ridge.com » openssl

Selecting Ciphers in Sendmail

admin — Thu, 20 Jan 2011 22:40:02 +0000

The best reference that I’m aware of for this used to be at http://sial.org/howto/sendmail/cipherlist/ – but DNS to that site is currently broken. The site can be reached by IP address, at least for the time being.

Distilled instructions:

Assuming you are building from source, add the following to your site.config.m4:
```
APPENDDEF(`confENVDEF', `-D_FFR_TLS_1')
```
Next, rebuild the Sendmail binary; when finished, add the following to your sendmail.mc and rebuild your sendmail.cf:
```
LOCAL_CONFIG
O CipherList=DH
```
(Assuming, for whatever reasons, you want to limit ciphers to Diffie-Hellman varieties. Adjust as necessary.)

You can verify your CipherList values using OpenSSL:

> openssl ciphers DH
ADH-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:ADH-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:ADH-DES-CBC3-SHA:ADH-DES-CBC-SHA:EXP-ADH-DES-CBC-SHA:ADH-RC4-MD5:EXP-ADH-RC4-MD5:EDH-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC3-SHA:EDH-DSS-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA

Tested against Sendmail 8.14.1.

Generating Crypted Passwords for Kickstart Files

admin — Mon, 04 Oct 2010 17:38:35 +0000

For Red Hat or clones, or ESX/ESXi, use “grub-md5-crypt”:

> grub-md5-crypt
Password:
Retype password:
$1$KnYGn/$wOAmKuQH3KP35XRjWiUpX/

Copy and paste to “rootpw –iscrypted” as appropriate.

Generate a CSR from a Private RSA Key

admin — Thu, 15 Jan 2009 21:49:07 +0000

To generate the CSR, do the following:

openssl req -new -nodes -key host.key -out host.csr

Create a Self-Signed Certificate with OpenSSL

admin — Thu, 15 Jan 2009 21:44:59 +0000

To create a self-signed certificate for internal or testing use, enter the following commands:

openssl genrsa 1024 > host.key openssl req -new -x509 -nodes -sha1 -days 1825 -key host.key > host.cert