On 2016-12-11 11:22, Joerg Dorchain wrote: > following testing after upgrading from 8.15.2-6 to 8.15.2-7, > sendmail does not accept certain incoming connections anymore > and refuses the STARTTLS handshake with "ca md too weak".
That is probably because the -7 package got built against openssl 1.1 while -6 was still at openssl 1.0. Cc:ing Kurt (the openssl maintainer), maybe he has some hints. > Most reproduceable way I found by now is the DANE validator at > https://dane.sys4.de/, which leave a log entry e.g.: > Dec 11 11:04:54 Redstar sm-mta[18223]: STARTTLS=server, error: accept > failed=-1, reason=ca md too weak, SSL_error=1, errno=0, retry=-1, > relay=dane.sys4.de [IPv6:2001:1578:400:111:0:0:3:1] > > Other affected parties include e.g. amazon. Andreas
