Loading multiple CRLs from the CRL file specified in the Sendmail configuration fails due to an oversight (?) in the upstream source. This problem was reported in the comp.mail.sendmail group on the 27th of May 2010 with a straightforward patch (http://groups.google.com/group/comp.mail.sendmail/browse_thread/thread/a3468515a14441ec). Reproducible: Always Steps to Reproduce: 1. emerge "<=mail-mta/sendmail-8.14.4" 2. define confCRL in sendmail.mc 3. add multiple CRLs to the CRL file 4. attempt to authenticate with a cert revoked in CRL #2+n Actual Results: Sendmail accepts the certificate as valid, as only the first CRL in the file is loaded. Expected Results: Certificate should be rejected as it is listed in one of the CRLs. Impact: Sendmail does not work with multiple CAs, for example in a multi-level PKI with one root CA and several actually signing CAs. If for example one of the signing CAs were revoked by the root CA, and the root CA CRL were not the first CRL in the file, any certs issued by the compromised CA would continue to be accepted. If, on the other hand, the root CA CRL were the first listed CRL, certs revoked due to a compromised private key would continue to be accepted. The only secure solution is to be able to read CRLs from multiple CAs, which attached patch (credit see the above mentioned post on comp.mail.sendmail) does.
Created attachment 262245 [details, diff] Patch to read multiple CRLs from confCRL file
+*sendmail-8.14.5-r2 (14 Jun 2012) + + 14 Jun 2012; Eray Aslan <eras@gentoo.org> +sendmail-8.14.5-r2.ebuild, + +files/sendmail-starttls-multi-crl.patch: + Install helper programs - bug #348621. Read multiple crls - bug #354611. + Install /etc/sasl2/Sendmail.conf - bug #144060 +
