On Thursday, October 1, 2020 7:50:49 AM CEST Lumír Balhar wrote: > I've upgraded to Fedora 33 beta and I've discovered a problem with > Thunderbird. All email accounts work well except the Red Hat one with > mail.corp.redhat.com as an IMAP server (I use Zimbra servers not Gmail). I asked a few days back if the crypto on the mail server could be updated to comply with F33 (internal ticket INC1447620). Pavel > The problem is that Thunderbird does not show any error message but it's > not able to communicate with the IMAP server. I'm not able to receive > any message from the server. I'm able to send a message but a copy is > then not saved to sent folder for the same reason. My first thought was > that the problem is caused by a downgrade from 68.11 to 68.10 because > Thunderbird currently FTBFS in Fedora 33 but it does not seem to be so. > I've also tried to remove the account and add it back but it did not > help because I was no longer able to log in to my account without any > particular error message. I've also tried to delete the server's > certificates. > > The problem seems to be caused by strict crypto policies in Fedora 33 > and too small DH key provided by the server. > > $ update-crypto-policies --show > DEFAULT > > $ openssl s_client -showcerts -connect mail.corp.redhat.com:993 > -servername mail.corp.redhat.com > CONNECTED(00000003) > depth=3 C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", > OU = Red Hat IT, CN = Red Hat IT Root CA, emailAddress = infosec@xxxxxxxxxx > verify return:1 > depth=2 O = Red Hat, OU = prod, CN = Intermediate Certificate Authority > verify return:1 > depth=1 O = Red Hat, OU = prod, CN = Certificate Authority > verify return:1 > depth=0 C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU = > Information Technology, emailAddress = servicedesk@xxxxxxxxxx, CN = > mail.corp.redhat.com > verify return:1 > 139893557032768:error:141A318A:SSL routines:tls_process_ske_dhe:dh key > too small:ssl/statem/statem_clnt.c:2149: > --- > > $ sudo update-crypto-policies --set LEGACY > Setting system policy to LEGACY > Note: System-wide crypto policies are applied on application start-up. > It is recommended to restart the system for the change of policies > to fully take place. > > openssl s_client -showcerts -connect mail.corp.redhat.com:993 > -servername mail.corp.redhat.com > CONNECTED(00000003) > depth=3 C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", > OU = Red Hat IT, CN = Red Hat IT Root CA, emailAddress = infosec@xxxxxxxxxx > verify return:1 > depth=2 O = Red Hat, OU = prod, CN = Intermediate Certificate Authority > verify return:1 > depth=1 O = Red Hat, OU = prod, CN = Certificate Authority > verify return:1 > depth=0 C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU = > Information Technology, emailAddress = servicedesk@xxxxxxxxxx, CN = > mail.corp.redhat.com > verify return:1 > --- > ... <certificates chain> ... > --- > * OK IMAP4 ready > > As you can see above, the DH key provided by the server is too small so > the SSL verification fails. Setting the crypto policies to LEGACY solves > the issue for me and I am again able to recreate my Red Hat account in > Thunderbird. > > Hope this helps. I'm going to report this problem to service desk. > > Lumír > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
