Probably better than switching the system-wide policy to LEGACY is to
create a policy modifier which alters only the minimum size of DH keys.
$ sudo echo "min_dh_size = 1023" >
/etc/crypto-policies/policies/modules/DH-SIZE.pmod
$ sudo update-crypto-policies --set DEFAULT:DH-SIZE
The issue is already reported to the service desk.
Lumír
On 10/1/20 7:50 AM, Lumír Balhar wrote:
Hello.
I've upgraded to Fedora 33 beta and I've discovered a problem with
Thunderbird. All email accounts work well except the Red Hat one with
mail.corp.redhat.com as an IMAP server (I use Zimbra servers not Gmail).
The problem is that Thunderbird does not show any error message but
it's not able to communicate with the IMAP server. I'm not able to
receive any message from the server. I'm able to send a message but a
copy is then not saved to sent folder for the same reason. My first
thought was that the problem is caused by a downgrade from 68.11 to
68.10 because Thunderbird currently FTBFS in Fedora 33 but it does not
seem to be so. I've also tried to remove the account and add it back
but it did not help because I was no longer able to log in to my
account without any particular error message. I've also tried to
delete the server's certificates.
The problem seems to be caused by strict crypto policies in Fedora 33
and too small DH key provided by the server.
$ update-crypto-policies --show
DEFAULT
$ openssl s_client -showcerts -connect mail.corp.redhat.com:993
-servername mail.corp.redhat.com
CONNECTED(00000003)
depth=3 C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.",
OU = Red Hat IT, CN = Red Hat IT Root CA, emailAddress =
infosec@xxxxxxxxxx
verify return:1
depth=2 O = Red Hat, OU = prod, CN = Intermediate Certificate Authority
verify return:1
depth=1 O = Red Hat, OU = prod, CN = Certificate Authority
verify return:1
depth=0 C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU =
Information Technology, emailAddress = servicedesk@xxxxxxxxxx, CN =
mail.corp.redhat.com
verify return:1
139893557032768:error:141A318A:SSL routines:tls_process_ske_dhe:dh key
too small:ssl/statem/statem_clnt.c:2149:
---
$ sudo update-crypto-policies --set LEGACY
Setting system policy to LEGACY
Note: System-wide crypto policies are applied on application start-up.
It is recommended to restart the system for the change of policies
to fully take place.
openssl s_client -showcerts -connect mail.corp.redhat.com:993
-servername mail.corp.redhat.com
CONNECTED(00000003)
depth=3 C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.",
OU = Red Hat IT, CN = Red Hat IT Root CA, emailAddress =
infosec@xxxxxxxxxx
verify return:1
depth=2 O = Red Hat, OU = prod, CN = Intermediate Certificate Authority
verify return:1
depth=1 O = Red Hat, OU = prod, CN = Certificate Authority
verify return:1
depth=0 C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU =
Information Technology, emailAddress = servicedesk@xxxxxxxxxx, CN =
mail.corp.redhat.com
verify return:1
---
... <certificates chain> ...
---
* OK IMAP4 ready
As you can see above, the DH key provided by the server is too small
so the SSL verification fails. Setting the crypto policies to LEGACY
solves the issue for me and I am again able to recreate my Red Hat
account in Thunderbird.
Hope this helps. I'm going to report this problem to service desk.
Lumír
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
