From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 7D46C158042 for ; Sat, 26 Oct 2024 17:48:25 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 032A7E096C; Sat, 26 Oct 2024 17:48:20 +0000 (UTC) Received: from beige.elm.relay.mailchannels.net (beige.elm.relay.mailchannels.net [23.83.212.16]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 8A005E094B for ; Sat, 26 Oct 2024 17:48:19 +0000 (UTC) X-Sender-Id: thundermail|x-authsender|confabulate@kintzios.com Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 76B4D180FAD for ; Sat, 26 Oct 2024 17:48:18 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1729964898; a=rsa-sha256; cv=none; b=oho2UEKzgxBh49eJG5NbsrU3HphssiLtG2KF+kInTo0rv2wazu9fBpTkZ8ijE33ddNavAz 7BflgRy0GDUwa1xXgAPvjwnTFFlRgRruh264nZFqpdByTRvCeqIicryoGID5NIcW8zyHrZ EUyqQ7LtQ3imkgWc73Bh10r/U3KRemgy45F4oSeqZIIt6gBAMoAVZ/JJ49nwTSuTclw7vy HohbY5k4lDnkxxTfYF40hggyqII0jXDf9xmhJQ/6xBLuzoMK32mrS3m4y2eY+U+35dYuKm dLHD+VgGHKYy0UmUw3lfI/iZrZKpoebIz+ASshGsoR0f4L92KB+8DehvuMNW3w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1729964898; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references; bh=BpEY8TyNm3+P5fyEIYb+lBzLR0lIh9B7bbtsPGg5LKw=; b=F2G4LdzfgUmnxMJxDiZxAfgYVlUainQCqbqFbTREhk7jqfS7TAn9QDWTlv5Nm6nGZxBDAp YrfI5c03CE8eBl4mQGo3D7sRqlliJe8mvWbeEEABBKxMp3AdsPhs2yv4zYKwaFZmdxHjOe 7xxs5qt1t0zrja3+yDO4VmmpINh/VCHBUv5kCyyu3nxAm4JwzUVlLBTufrtcXDMoIOQcNy 3QWLVl2Kc1loQyRDvIQx4A/98INwqFGEz3ZNGcs6DkI8dyGlyComehncgDaaV0+FGRooa0 OiMQxoi80i/LJqSjC2aWvCj4xwgOIU1EWpJcYaUOzNqTp9ykNBvyIqye1WVpSw== ARC-Authentication-Results: i=1; rspamd-7fb5679c85-f655r; auth=pass smtp.auth=thundermail smtp.mailfrom=confabulate@kintzios.com X-Sender-Id: thundermail|x-authsender|confabulate@kintzios.com X-MC-Relay: Neutral X-MailChannels-SenderId: thundermail|x-authsender|confabulate@kintzios.com X-MailChannels-Auth-Id: thundermail X-Stretch-Ruddy: 6d77ddb904795c1c_1729964898209_3880835865 X-MC-Loop-Signature: 1729964898209:3226856910 X-MC-Ingress-Time: 1729964898208 Received: from mailclean11.thundermail.uk (mailclean11.thundermail.uk [149.255.60.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.103.137.17 (trex/7.0.2); Sat, 26 Oct 2024 17:48:18 +0000 Received: from cloud238.thundercloud.uk (cloud238.thundercloud.uk [149.255.62.116]) by mailclean11.thundermail.uk (Postfix) with ESMTPS id B2BE71E0003 for ; Sat, 26 Oct 2024 18:48:15 +0100 (BST) Authentication-Results: cloud238.thundercloud.uk; spf=pass (sender IP is 217.169.3.230) smtp.mailfrom=confabulate@kintzios.com smtp.helo=rogueboard.localnet Received-SPF: pass (cloud238.thundercloud.uk: connection is authenticated) From: Michael To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] fetchmail: OpenSSL reported: error:0A00018A:SSL routines::dh key too small Date: Sat, 26 Oct 2024 18:47:49 +0100 Message-ID: <9891082.ag9G3TJQzC@rogueboard> In-Reply-To: References: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2850905.XrmoMso0CX"; micalg="pgp-sha256"; protocol="application/pgp-signature" X-PPP-Message-ID: <172996489423.1506716.11528827467231496316@cloud238.thundercloud.uk> X-PPP-Vhost: kintzios.com X-Rspamd-Queue-Id: B2BE71E0003 X-Rspamd-Server: mailclean11 X-Spamd-Result: default: False [-1.61 / 999.00]; SIGNED_PGP(-2.00)[]; MID_RHS_NOT_FQDN(0.50)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; ONCE_RECEIVED(0.10)[]; MX_GOOD(-0.01)[]; R_SPF_ALLOW(0.00)[+mx]; FUZZY_BLOCKED(0.00)[rspamd.com]; RCVD_VIA_SMTP_AUTH(0.00)[]; ASN(0.00)[asn:34931, ipnet:149.255.60.0/22, country:GB]; MISSING_XM_UA(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_COUNT_ONE(0.00)[1]; R_DKIM_NA(0.00)[]; RCVD_TLS_ALL(0.00)[]; NEURAL_HAM(-0.00)[-0.999]; REPLYTO_ADDR_EQ_FROM(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; DMARC_POLICY_ALLOW(0.00)[kintzios.com,none]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[gentoo-user@lists.gentoo.org]; HAS_REPLYTO(0.00)[confabulate@kintzios.com] X-Rspamd-Action: no action X-Archives-Salt: 6dc1d5f7-a261-447e-a521-0150a9f44d47 X-Archives-Hash: 948074cef35fd0259849bddd2ff2dfc4 --nextPart2850905.XrmoMso0CX Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="utf-8"; protected-headers="v1" From: Michael To: gentoo-user@lists.gentoo.org Reply-To: confabulate@kintzios.com Date: Sat, 26 Oct 2024 18:47:49 +0100 Message-ID: <9891082.ag9G3TJQzC@rogueboard> In-Reply-To: References: MIME-Version: 1.0 On Saturday 26 October 2024 18:14:17 BST Walter Dnes wrote: > My personal domain inbound email is directed to COTSE.net. I pull > with fetchmail. After yesterday's world update, fetchmail has been > failing with the error message in the subject. I can still access my > incoming email via webmail mode (BLEAGH!!!). I've set my gmail address > to forward directly to my ISP inbox, avoiding this problem. > > It seems that the latest openssl has ratcheted up their "security > level". After "asking Mr. Google", I tried the answer at... > https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-se > curity-level which doesn't work for me. DH primes of a low value are vulnerable to brute force attacks. OpenSSL respond to real life threat models for a reason, e.g.: https://weakdh.org/ > I also tried reverting to the previous version of openssl. That > failed because... This is not advisable, at least it is not advisable from a security perspective. > * the latest "curl" requires the latest openssl > > * a whole bunch of apps in my "world" now require the latest "curl" > > I also tried... > > * USE="-ssl" emerge fetchmail # results in authorization failure > > * USE="weak-ssl-ciphers" emerge openssl # doesn't help > > Any ideas? Webmail sucks! You can check the TLS Certificate chain used by COTSE.net mail server, e.g.: openssl s_client -connect mail.cotse.net\:993 -crlf -starttls imap -showcerts If these guys are still using deprecated TLS versions, you can ask them to upgrade their SSL/TLS libraries and perhaps their OS - what other deprecated/ unpatched software are they running? --nextPart2850905.XrmoMso0CX Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEXqhvaVh2ERicA8Ceseqq9sKVZxkFAmcdK0UACgkQseqq9sKV ZxmSIQ//V4s2YdPxvUp8eDqt+g6n+p29ON0X1ZonxyEjyWxwPnQf9HxGxwZ/STIs 5oTRdCCzC3Ai8dokA3dNyPSxPKf+vP+uHDbxR0tkFIyKF+BQigI+OpX05h0kahWP H2HMwUWHWZ0wlnEj2vqlRxjQxuPC1jKg8YjSNHqPjQoDeE95J5/1MOLd0Wo4qVLS 84RIHg+gxb/CBbG3gDH+cHIrpATA6Zu6LvuLyvzWMesGvWVm3sElDUYTyaks2JLw dc90tcIExxb0Ka2fL8qAe0ad2J5PUxF41yHeYgO8e76o8/8XMtAFyQUvYixM61Nv LUTR9Tc9c1dQ8+NEO/4CCxr2I7veJVrC9RjDs4KQ3/uo/k8KUQMYTQK6WD3gJbjV H6b1q0GHlGRjlIQC0BjL1udMe8ou2epXtfpi+bQoeUFmPU5Jmj5+2i3LfxnKHST5 JQ5znlhMSbb6Xen7M05VxuCOrMXmqZHzSlFHtt33ttmcZ1nDV5f9uFEhV4k4nMS3 bagio5DnI8LFE35y8KQjizsqs6YHkzfE8NSacLbVAbPzewnb5R73tEcxFkXJEV1R oYBNt1KXKsHwlFuyYbMc5+mRTT5VK17jlOpF7rAEyGdwWm5lWo9/nrh0SPqX2sTJ 3PSX/55vpXOF0H66PQgQDm2IJybhOC3LlZ3/g9RouECcksRlYCc= =YLat -----END PGP SIGNATURE----- --nextPart2850905.XrmoMso0CX--