$NetBSD: patch-aw,v 1.3 2014/06/20 16:26:55 jnemeth Exp $

--- sendmail/readcf.c.orig	2014-05-16 20:40:15.000000000 +0000
+++ sendmail/readcf.c
@@ -20,6 +20,10 @@ SM_RCSID("@(#)$Id: readcf.c,v 8.692 2013
 # include <arpa/inet.h>
 #endif /* NETINET || NETINET6 */
 
+#if NAMED_BIND
+extern struct __res_state sm_res;
+#endif
+
 
 #define SECONDS
 #define MINUTES	* 60
@@ -124,6 +128,14 @@ readcf(cfname, safe, e)
 		| SSL_OP_NO_TICKET
 #endif
 		;
+#ifdef SSL_OP_TLSEXT_PADDING
+	/* 
+	 * For now disable SSL_OP_TLSEXT_PADDING: with OpenSSL 1.0.1g
+	 * and 1.0.1h it breaks compatibility with some sites.
+	 */
+	Srv_SSL_Options &= ~SSL_OP_TLSEXT_PADDING;
+	Clt_SSL_Options &= ~SSL_OP_TLSEXT_PADDING;
+#endif
 #endif /* STARTTLS */
 	if (DontLockReadFiles)
 		sff |= SFF_NOLOCK;
@@ -2406,6 +2418,9 @@ static struct ssl_options
 #ifdef SSL_OP_CRYPTOPRO_TLSEXT_BUG
 	{ "SSL_OP_CRYPTOPRO_TLSEXT_BUG",	SSL_OP_CRYPTOPRO_TLSEXT_BUG	},
 #endif
+#ifdef SSL_OP_TLSEXT_PADDING
+	{ "SSL_OP_TLSEXT_PADDING",	SSL_OP_TLSEXT_PADDING	},
+#endif
 	{ NULL,		0		}
 };
 #endif /* STARTTLS && _FFR_TLS_1 */
@@ -2810,13 +2825,13 @@ setoption(opt, val, safe, sticky, e)
 			if (rfp->rf_name == NULL)
 				syserr("readcf: I option value %s unrecognized", q);
 			else if (clearmode)
-				_res.options &= ~rfp->rf_bits;
+				sm_res.options &= ~rfp->rf_bits;
 			else
-				_res.options |= rfp->rf_bits;
+				sm_res.options |= rfp->rf_bits;
 		}
 		if (tTd(8, 2))
 			sm_dprintf("_res.options = %x, HasWildcardMX = %d\n",
-				   (unsigned int) _res.options, HasWildcardMX);
+				   (unsigned int) sm_res.options, HasWildcardMX);
 #else /* NAMED_BIND */
 		usrerr("name server (I option) specified but BIND not compiled in");
 #endif /* NAMED_BIND */
