Default to turning off OpenSSL SSL_OP_TLSEXT_PADDING as it breaks

compatibility with some sites

This change comes from 8.15 but is being backported to FreeBSD releases
not yet using 8.15.

MFC after:	3 days
Noted by:	julian@

diff --git a/contrib/sendmail/src/readcf.c b/contrib/sendmail/src/readcf.c
index 9189a9523dc5bc1780ed060b991cb55501ea386e..fc3bb900f896d2ae20fd9b189246f37f03c90d84 100644 (file)
--- a/contrib/sendmail/src/readcf.c
+++ b/contrib/sendmail/src/readcf.c
@@ -124,6 +124,11 @@ readcf(cfname, safe, e)
                | SSL_OP_NO_TICKET
 #endif
                ;
+# ifdef SSL_OP_TLSEXT_PADDING
+       /* SSL_OP_TLSEXT_PADDING breaks compatibility with some sites */
+       Srv_SSL_Options &= ~SSL_OP_TLSEXT_PADDING;
+       Clt_SSL_Options &= ~SSL_OP_TLSEXT_PADDING;
+# endif /* SSL_OP_TLSEXT_PADDING */
 #endif /* STARTTLS */
        if (DontLockReadFiles)
                sff |= SFF_NOLOCK;
@@ -2405,6 +2410,9 @@ static struct ssl_options
 #endif
 #ifdef SSL_OP_CRYPTOPRO_TLSEXT_BUG
        { "SSL_OP_CRYPTOPRO_TLSEXT_BUG",        SSL_OP_CRYPTOPRO_TLSEXT_BUG     },
+#endif
+#ifdef SSL_OP_TLSEXT_PADDING
+       { "SSL_OP_TLSEXT_PADDING",      SSL_OP_TLSEXT_PADDING   },
 #endif
        { NULL,         0               }
 };