Ssl error with offlineimap version 6.6.1 (debian package)

Leandro Noferini lnoferin at cybervalley.org
Sun Feb 7 22:20:28 GMT 2016


Tomasz ┼╗ok <tomasz.zok at gmail.com> writes:


[...]

>>  ERROR: Unknown SSL protocol connecting to host
>> 'bbs.cybervalley.org' for repository 'RemotoBBs'. OpenSSL responded:
>> [SSL: SSL_NEGATIVE_LENGTH] dh key too small (_ssl.c:590)
>> 
>> (...)
>>
>> What could be the error?
>
> OpenSSL has issued a change to protect from known vulnerability. You can
> read more here:
> https://weakdh.org/
> https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/

[...]

> dh key.
>
> You can check if your IMAP server is vulnerable with the command:
>     $ openssl s_client -connect $SERVER:imaps -cipher "EDH" | grep
> "Server Temp Key"

> Where $SERVER is the hostname of your IMAP server. If the result shows
> 768 bits or less then OpenSSL (and OfflineIMAP effectively) will refuse
> to connect. Soon, 1024 bits will also be treated as too weak and
> refused.

Server Temp Key: DH, 768 bits

Ok, it's clear!

> I think in this situation, only the IMAP server admin can aid. Even if
> there were some action possible on the client side, it would be at
> a cost of lower security.

I am the admin of server (it is in my house) and I can do what I
can/like because it is a family server.

I use courier as imap sever for many years and I would not change but I
tried to use a certificate from letsencrypt project but it gives some
error.

P.S.: thanks a lot for explanation!

-- 
leandro
Scegli sempre un'idea che ti permetta poi di cambiarla
http://6xukrlqedfabdjrb.onion
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 464 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/offlineimap-project/attachments/20160207/9021226f/attachment-0003.sig>


More information about the OfflineIMAP-project mailing list