| I've upgraded to Fedora 33 beta and I've discovered a problem with
| Thunderbird. All email accounts work well except the Red Hat one with
| mail.corp.redhat.com as an IMAP server (I use Zimbra servers not Gmail).
|
| The problem is that Thunderbird does not show any error message but it's not
| able to communicate with the IMAP server. I'm not able to receive any
| message from the server. I'm able to send a message but a copy is then not
| saved to sent folder for the same reason. My first thought was that the
| problem is caused by a downgrade from 68.11 to 68.10 because Thunderbird
| currently FTBFS in Fedora 33 but it does not seem to be so. I've also tried
| to remove the account and add it back but it did not help because I was no
| longer able to log in to my account without any particular error message.
| I've also tried to delete the server's certificates.
|
| The problem seems to be caused by strict crypto policies in Fedora 33 and
| too small DH key provided by the server.
|
| $ update-crypto-policies --show
| DEFAULT
|
| $ openssl s_client -showcerts -connect mail.corp.redhat.com:993 -servername
| mail.corp.redhat.com
| CONNECTED(00000003)
| depth=3 C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", OU =
| Red Hat IT, CN = Red Hat IT Root CA, emailAddress = infosec@xxxxxxxxxx
| verify return:1
| depth=2 O = Red Hat, OU = prod, CN = Intermediate Certificate Authority
| verify return:1
| depth=1 O = Red Hat, OU = prod, CN = Certificate Authority
| verify return:1
| depth=0 C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU =
| Information Technology, emailAddress = servicedesk@xxxxxxxxxx, CN =
| mail.corp.redhat.com
| verify return:1
| 139893557032768:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too
| small:ssl/statem/statem_clnt.c:2149:
| ---
|
| $ sudo update-crypto-policies --set LEGACY
| Setting system policy to LEGACY
| Note: System-wide crypto policies are applied on application start-up.
| It is recommended to restart the system for the change of policies
| to fully take place.
|
| openssl s_client -showcerts -connect mail.corp.redhat.com:993 -servername
| mail.corp.redhat.com
| CONNECTED(00000003)
| depth=3 C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", OU =
| Red Hat IT, CN = Red Hat IT Root CA, emailAddress = infosec@xxxxxxxxxx
| verify return:1
| depth=2 O = Red Hat, OU = prod, CN = Intermediate Certificate Authority
| verify return:1
| depth=1 O = Red Hat, OU = prod, CN = Certificate Authority
| verify return:1
| depth=0 C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU =
| Information Technology, emailAddress = servicedesk@xxxxxxxxxx, CN =
| mail.corp.redhat.com
| verify return:1
| ---
| ... <certificates chain> ...
| ---
| * OK IMAP4 ready
|
| As you can see above, the DH key provided by the server is too small so the
| SSL verification fails. Setting the crypto policies to LEGACY solves the
| issue for me and I am again able to recreate my Red Hat account in
| Thunderbird.
|
| Hope this helps. I'm going to report this problem to service desk.
Same thing applies to mutt. I've filed this bz:
https://bugzilla.redhat.com/show_bug.cgi?id=1883976
Harish
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
