Ssl error with offlineimap version 6.6.1 (debian package)

Tomasz ┼╗ok tomasz.zok at gmail.com
Sun Feb 7 11:29:44 GMT 2016


Hi Leandro,

On 2016-02-06 at 17:40, Leandro Noferini wrote:
> My imap server is courier with an selfsigned certificate and it worked
> fine for many years but some days ago it began to give me this error:
> 
> (...)
>
>  ERROR: Unknown SSL protocol connecting to host 'bbs.cybervalley.org' for repository 'RemotoBBs'. OpenSSL responded:
> [SSL: SSL_NEGATIVE_LENGTH] dh key too small (_ssl.c:590)
> 
> (...)
>
> What could be the error?

OpenSSL has issued a change to protect from known vulnerability. You can
read more here:
https://weakdh.org/
https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/


In short, the IMAP server (or another SSL service) uses Diffie-Hellman
(dh) protocol to establish keys for communication. A weakness in the
protocol has been found if a short key for dh is used. So OpenSSL issued
a patch which in effect disallows connections to the servers with weak
dh key.

You can check if your IMAP server is vulnerable with the command:
    $ openssl s_client -connect $SERVER:imaps -cipher "EDH" | grep "Server Temp Key"

Where $SERVER is the hostname of your IMAP server. If the result shows
768 bits or less then OpenSSL (and OfflineIMAP effectively) will refuse
to connect. Soon, 1024 bits will also be treated as too weak and
refused.

I think in this situation, only the IMAP server admin can aid. Even if
there were some action possible on the client side, it would be at
a cost of lower security.

Best regards,
Tomasz




More information about the OfflineIMAP-project mailing list