Re: [gentoo-user] fetchmail: OpenSSL reported: error:0A00018A:SSL routines::dh key too small

[Michael <confabulate@kintzios.com>]

[-- Attachment #1: Type: text/plain, Size: 1653 bytes --]

On Saturday 26 October 2024 18:14:17 BST Walter Dnes wrote:
>   My personal domain inbound email is directed to COTSE.net.  I pull
> with fetchmail.  After yesterday's world update, fetchmail has been
> failing with the error message in the subject.  I can still access my
> incoming email via webmail mode (BLEAGH!!!).  I've set my gmail address
> to forward directly to my ISP inbox, avoiding this problem.
> 
>   It seems that the latest openssl has ratcheted up their "security
> level".  After "asking Mr. Google", I tried the answer at...
> https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-se
> curity-level which doesn't work for me.

DH primes of a low value are vulnerable to brute force attacks.  OpenSSL 
respond to real life threat models for a reason, e.g.:

https://weakdh.org/


>   I also tried reverting to the previous version of openssl.  That
> failed because...

This is not advisable, at least it is not advisable from a security 
perspective.


> * the latest "curl" requires the latest openssl
> 
> * a whole bunch of apps in my "world" now require the latest "curl"
> 
>   I also tried...
> 
> * USE="-ssl" emerge fetchmail # results in authorization failure
> 
> * USE="weak-ssl-ciphers" emerge openssl # doesn't help
> 
>   Any ideas?  Webmail sucks!

You can check the TLS Certificate chain used by COTSE.net mail server, e.g.:

 openssl s_client -connect mail.cotse.net\:993 -crlf -starttls imap -showcerts

If these guys are still using deprecated TLS versions, you can ask them to 
upgrade their SSL/TLS libraries and perhaps their OS - what other deprecated/
unpatched software are they running?

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]