Hello.
I've upgraded to Fedora 33 beta and I've discovered a problem with
Thunderbird. All email accounts work well except the Red Hat one with
mail.corp.redhat.com as an IMAP server (I use Zimbra servers not Gmail).
The problem is that Thunderbird does not show any error message but it's
not able to communicate with the IMAP server. I'm not able to receive
any message from the server. I'm able to send a message but a copy is
then not saved to sent folder for the same reason. My first thought was
that the problem is caused by a downgrade from 68.11 to 68.10 because
Thunderbird currently FTBFS in Fedora 33 but it does not seem to be so.
I've also tried to remove the account and add it back but it did not
help because I was no longer able to log in to my account without any
particular error message. I've also tried to delete the server's
certificates.
The problem seems to be caused by strict crypto policies in Fedora 33
and too small DH key provided by the server.
$ update-crypto-policies --show
DEFAULT
$ openssl s_client -showcerts -connect mail.corp.redhat.com:993
-servername mail.corp.redhat.com
CONNECTED(00000003)
depth=3 C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.",
OU = Red Hat IT, CN = Red Hat IT Root CA, emailAddress = infosec@xxxxxxxxxx
verify return:1
depth=2 O = Red Hat, OU = prod, CN = Intermediate Certificate Authority
verify return:1
depth=1 O = Red Hat, OU = prod, CN = Certificate Authority
verify return:1
depth=0 C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU =
Information Technology, emailAddress = servicedesk@xxxxxxxxxx, CN =
mail.corp.redhat.com
verify return:1
139893557032768:error:141A318A:SSL routines:tls_process_ske_dhe:dh key
too small:ssl/statem/statem_clnt.c:2149:
---
$ sudo update-crypto-policies --set LEGACY
Setting system policy to LEGACY
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
openssl s_client -showcerts -connect mail.corp.redhat.com:993
-servername mail.corp.redhat.com
CONNECTED(00000003)
depth=3 C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.",
OU = Red Hat IT, CN = Red Hat IT Root CA, emailAddress = infosec@xxxxxxxxxx
verify return:1
depth=2 O = Red Hat, OU = prod, CN = Intermediate Certificate Authority
verify return:1
depth=1 O = Red Hat, OU = prod, CN = Certificate Authority
verify return:1
depth=0 C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU =
Information Technology, emailAddress = servicedesk@xxxxxxxxxx, CN =
mail.corp.redhat.com
verify return:1
---
... <certificates chain> ...
---
* OK IMAP4 ready
As you can see above, the DH key provided by the server is too small so
the SSL verification fails. Setting the crypto policies to LEGACY solves
the issue for me and I am again able to recreate my Red Hat account in
Thunderbird.
Hope this helps. I'm going to report this problem to service desk.
Lumír
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
