* [gentoo-user] fetchmail: OpenSSL reported: error:0A00018A:SSL routines::dh key too small
@ 2024-10-26 17:14 Walter Dnes
2024-10-26 17:47 ` Michael
2024-10-29 6:10 ` [gentoo-user] [SOLVED] " Walter Dnes
0 siblings, 2 replies; 3+ messages in thread
From: Walter Dnes @ 2024-10-26 17:14 UTC (permalink / raw
To: Gentoo Users List
My personal domain inbound email is directed to COTSE.net. I pull
with fetchmail. After yesterday's world update, fetchmail has been
failing with the error message in the subject. I can still access my
incoming email via webmail mode (BLEAGH!!!). I've set my gmail address
to forward directly to my ISP inbox, avoiding this problem.
It seems that the latest openssl has ratcheted up their "security
level". After "asking Mr. Google", I tried the answer at...
https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level
which doesn't work for me.
I also tried reverting to the previous version of openssl. That
failed because...
* the latest "curl" requires the latest openssl
* a whole bunch of apps in my "world" now require the latest "curl"
I also tried...
* USE="-ssl" emerge fetchmail # results in authorization failure
* USE="weak-ssl-ciphers" emerge openssl # doesn't help
Any ideas? Webmail sucks!
--
There are 2 types of people in this world
1) Those who can extrapolate from incomplete data
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-user] fetchmail: OpenSSL reported: error:0A00018A:SSL routines::dh key too small
2024-10-26 17:14 [gentoo-user] fetchmail: OpenSSL reported: error:0A00018A:SSL routines::dh key too small Walter Dnes
@ 2024-10-26 17:47 ` Michael
2024-10-29 6:10 ` [gentoo-user] [SOLVED] " Walter Dnes
1 sibling, 0 replies; 3+ messages in thread
From: Michael @ 2024-10-26 17:47 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 1653 bytes --]
On Saturday 26 October 2024 18:14:17 BST Walter Dnes wrote:
> My personal domain inbound email is directed to COTSE.net. I pull
> with fetchmail. After yesterday's world update, fetchmail has been
> failing with the error message in the subject. I can still access my
> incoming email via webmail mode (BLEAGH!!!). I've set my gmail address
> to forward directly to my ISP inbox, avoiding this problem.
>
> It seems that the latest openssl has ratcheted up their "security
> level". After "asking Mr. Google", I tried the answer at...
> https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-se
> curity-level which doesn't work for me.
DH primes of a low value are vulnerable to brute force attacks. OpenSSL
respond to real life threat models for a reason, e.g.:
https://weakdh.org/
> I also tried reverting to the previous version of openssl. That
> failed because...
This is not advisable, at least it is not advisable from a security
perspective.
> * the latest "curl" requires the latest openssl
>
> * a whole bunch of apps in my "world" now require the latest "curl"
>
> I also tried...
>
> * USE="-ssl" emerge fetchmail # results in authorization failure
>
> * USE="weak-ssl-ciphers" emerge openssl # doesn't help
>
> Any ideas? Webmail sucks!
You can check the TLS Certificate chain used by COTSE.net mail server, e.g.:
openssl s_client -connect mail.cotse.net\:993 -crlf -starttls imap -showcerts
If these guys are still using deprecated TLS versions, you can ask them to
upgrade their SSL/TLS libraries and perhaps their OS - what other deprecated/
unpatched software are they running?
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* [gentoo-user] [SOLVED] fetchmail: OpenSSL reported: error:0A00018A:SSL routines::dh key too small
2024-10-26 17:14 [gentoo-user] fetchmail: OpenSSL reported: error:0A00018A:SSL routines::dh key too small Walter Dnes
2024-10-26 17:47 ` Michael
@ 2024-10-29 6:10 ` Walter Dnes
1 sibling, 0 replies; 3+ messages in thread
From: Walter Dnes @ 2024-10-29 6:10 UTC (permalink / raw
To: gentoo-user
On Sat, Oct 26, 2024 at 01:14:17PM -0400, Walter Dnes wrote
> My personal domain inbound email is directed to COTSE.net. I pull
> with fetchmail. After yesterday's world update, fetchmail has been
> failing with the error message in the subject. I can still access my
> incoming email via webmail mode (BLEAGH!!!). I've set my gmail address
> to forward directly to my ISP inbox, avoiding this problem.
*I'M BACK!* It may have been a co-incidence that I ran into the
problem right after an @world update https://www.cotse.net/notices.html
> Oct 28 - During a recent deployment for some configuration changes, an
> incorrect version of a dovecot configuration file was deployed. This
> resulted in a weak Diffie-Hellmann parameter (1024 instead of 2048)
> to be used in our imaps and pops protocols, as well as some weaker
> ciphers to be available. We were notified by one of our subscribers
> and it has been corrected. We do not see evidence of any of our
> subscriber's email clients having selected a weaker cipher during
> this time, which could be an indication of a MITM attack on that
> subscriber. This did not affect webmail users.
--
There are 2 types of people in this world
1) Those who can extrapolate from incomplete data
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-10-29 6:10 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-10-26 17:14 [gentoo-user] fetchmail: OpenSSL reported: error:0A00018A:SSL routines::dh key too small Walter Dnes
2024-10-26 17:47 ` Michael
2024-10-29 6:10 ` [gentoo-user] [SOLVED] " Walter Dnes
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox