Note that at this point in time (2020), this is a server bug not a Fedora policy problem. I also heartily approve of using a custom policy change rather than switching to legacy, and hopefully people will quickly be able to remove that custom change too because that DH size is simply too weak for today standard, and the policy affects all software on the system, not just thunderbird ... Simo. On Thu, 2020-10-01 at 08:18 +0200, Lumír Balhar wrote: > Probably better than switching the system-wide policy to LEGACY is to > create a policy modifier which alters only the minimum size of DH keys. > > $ sudo echo "min_dh_size = 1023" > > /etc/crypto-policies/policies/modules/DH-SIZE.pmod > > $ sudo update-crypto-policies --set DEFAULT:DH-SIZE > > The issue is already reported to the service desk. > > Lumír > > On 10/1/20 7:50 AM, Lumír Balhar wrote: > > Hello. > > > > I've upgraded to Fedora 33 beta and I've discovered a problem with > > Thunderbird. All email accounts work well except the Red Hat one with > > mail.corp.redhat.com as an IMAP server (I use Zimbra servers not Gmail). > > > > The problem is that Thunderbird does not show any error message but > > it's not able to communicate with the IMAP server. I'm not able to > > receive any message from the server. I'm able to send a message but a > > copy is then not saved to sent folder for the same reason. My first > > thought was that the problem is caused by a downgrade from 68.11 to > > 68.10 because Thunderbird currently FTBFS in Fedora 33 but it does not > > seem to be so. I've also tried to remove the account and add it back > > but it did not help because I was no longer able to log in to my > > account without any particular error message. I've also tried to > > delete the server's certificates. > > > > The problem seems to be caused by strict crypto policies in Fedora 33 > > and too small DH key provided by the server. > > > > $ update-crypto-policies --show > > DEFAULT > > > > $ openssl s_client -showcerts -connect mail.corp.redhat.com:993 > > -servername mail.corp.redhat.com > > CONNECTED(00000003) > > depth=3 C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", > > OU = Red Hat IT, CN = Red Hat IT Root CA, emailAddress = > > infosec@xxxxxxxxxx > > verify return:1 > > depth=2 O = Red Hat, OU = prod, CN = Intermediate Certificate Authority > > verify return:1 > > depth=1 O = Red Hat, OU = prod, CN = Certificate Authority > > verify return:1 > > depth=0 C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU = > > Information Technology, emailAddress = servicedesk@xxxxxxxxxx, CN = > > mail.corp.redhat.com > > verify return:1 > > 139893557032768:error:141A318A:SSL routines:tls_process_ske_dhe:dh key > > too small:ssl/statem/statem_clnt.c:2149: > > --- > > > > $ sudo update-crypto-policies --set LEGACY > > Setting system policy to LEGACY > > Note: System-wide crypto policies are applied on application start-up. > > It is recommended to restart the system for the change of policies > > to fully take place. > > > > openssl s_client -showcerts -connect mail.corp.redhat.com:993 > > -servername mail.corp.redhat.com > > CONNECTED(00000003) > > depth=3 C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", > > OU = Red Hat IT, CN = Red Hat IT Root CA, emailAddress = > > infosec@xxxxxxxxxx > > verify return:1 > > depth=2 O = Red Hat, OU = prod, CN = Intermediate Certificate Authority > > verify return:1 > > depth=1 O = Red Hat, OU = prod, CN = Certificate Authority > > verify return:1 > > depth=0 C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU = > > Information Technology, emailAddress = servicedesk@xxxxxxxxxx, CN = > > mail.corp.redhat.com > > verify return:1 > > --- > > ... <certificates chain> ... > > --- > > * OK IMAP4 ready > > > > As you can see above, the DH key provided by the server is too small > > so the SSL verification fails. Setting the crypto policies to LEGACY > > solves the issue for me and I am again able to recreate my Red Hat > > account in Thunderbird. > > > > Hope this helps. I'm going to report this problem to service desk. > > > > Lumír > > _______________________________________________ > > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx -- Simo Sorce RHEL Crypto Team Red Hat, Inc _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
