Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
imapd via STARTLS not working after upgrade{SOLVED]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
octavsly
n00b
n00b


Joined: 22 Aug 2007
Posts: 23
Location: Eindhoven, HTC

PostPosted: Sun Jul 06, 2014 10:28 am    Post subject: imapd via STARTLS not working after upgrade{SOLVED] Reply with quote

Posted so other can find the solution easier.

After updating the net-mail/courier-imap to 4.15-r1, I could not retrieve the e-mails via STARTTLS anymore.
Strangely enough it still worked via SSL/TLS (port 993).

Tried debugging via http://www.courier-mta.org/authlib/README.authdebug.html but STARTTLS was not there.

Then found in the /var/log/messages the following error:
Code:
imapd-ssl: couriertls: /usr/share/dhparams.pem: error:02001002:system library:fopen:No such file or directory


http://www.courier-mta.org/imap/INSTALL.html shows:
Quote:
Upgrading from Courier-IMAP 4.14, and earlier

Version 4.15 removes the TLS_DHCERTFILE parameter from imap, and pop3d configuration files. DH parameters, and DH parameters only, get read from the new TLS_DHPARAMS file (and the other functionaly of TLS_DHCERTFILE, for DSA certificates, is merged into TLS_CERTFILE). The default startup script in the package is updated to run the new mkdhparams script, that creates a new TLS_DHPARAMS file.


In gentoo /etc/*/impad-ssl file, parameter TLS_DHPARAMS was set to /usr/share/dhparams.pem and the file was not existent.

Two solutions:
1. Disable th aparameter in the impad-ssl file:
Code:
#TLS_DHPARAMS=/usr/share/dhparams.pem


OR
2. Run, as the manual says, mkdhparams which will create that file
Back to top
View user's profile Send private message
cilly
n00b
n00b


Joined: 27 Jun 2006
Posts: 2

PostPosted: Mon Jul 21, 2014 5:12 pm    Post subject: Re: imapd via STARTLS not working after upgrade{SOLVED] Reply with quote

Thank you!!!!!!

:lol:
Back to top
View user's profile Send private message
Floppe
n00b
n00b


Joined: 27 Feb 2003
Posts: 48
Location: Finland

PostPosted: Wed Jul 23, 2014 10:01 am    Post subject: Reply with quote

Many thanks!
Back to top
View user's profile Send private message
Duncan Mac Leod
Apprentice
Apprentice


Joined: 02 May 2004
Posts: 186
Location: Germany

PostPosted: Tue May 19, 2015 2:07 pm    Post subject: Reply with quote

Microsoft's last patchday (May 2015) introduced another problem, REQUIRING a DHE key length of 1,024 bits! (default is 768 if you are using OpenSSL and the mkdhparams tools).

If you are using a DHE key length of < 1,024 bits, a TLS connection is not possible.

https://support.microsoft.com/en-us/kb/3061518/

Two soultions:

#1 set the environment variable BITS (see manpage of mkdhparams)

or

#2 edit /usr/sbin/mkdhparams and change the value 768 to 1024

Generate a new .pem file and it will work again.

Took me hours to track down the problem, so I post this to make your life easier.

The problem occurs in our network ONLY for Windows 8.1 and Windows Server 2012 R2 systems, all other systems were not affected, but AFAIK Microsoft is planning to patch the other operating systems in the next months.

Hope that helps...
Back to top
View user's profile Send private message
octavsly
n00b
n00b


Joined: 22 Aug 2007
Posts: 23
Location: Eindhoven, HTC

PostPosted: Tue Jun 16, 2015 9:13 am    Post subject: Reply with quote

Thanks Duncan Mac Leod for the info.

Reason for change can be seen in https://weakdh.org/

For regenerating the key use DH_BITS instead of BITS as the manual says.
Code:
rm  /usr/share/dhparams.pem ; DH_BITS=2048 mkdhparams


Newer versions of thunderbird also refuse connection to < 1024 bits. The message is a bit cryptic.

Quote:
The IMAP server info@server.com does not support the selected authentication method. Please change the 'Authentication method' in the 'Account Settings | Server settings'.


However if Error console is opened (Ctrl+Shift+J) a more clear message appear:
Quote:

Timestamp: 06/16/2015 11:02:12 AM
Error: An error occurred during a connection to imap.server.com:143.

SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.

(Error code: ssl_error_weak_server_ephemeral_dh_key)


I will write a bug in gentoo to have the default to 1024
Back to top
View user's profile Send private message
mt_undershirt
n00b
n00b


Joined: 20 Dec 2014
Posts: 4

PostPosted: Tue Jun 16, 2015 9:44 am    Post subject: Yes! Reply with quote

:D Many thanks to octavsly and MacLeod, my thunderbird just failed on multiple accounts after today's upgrade to 38.0.1 with the aforementioned cryptic error message.
Connection was still working on other machines and iOS devices, though. 8O :?:

So, you probably saved me a lot of time otherwise wasted on tracking down the problem, I truly :!: appreciate that.

As described, removing the old dhparams.pem and running 1024-bit modified mkdhparams on the server did the trick right away.

Regards
mtu
Back to top
View user's profile Send private message
toralf
Advocate
Advocate


Joined: 01 Feb 2004
Posts: 2951
Location: Hamburg/Germany

PostPosted: Tue Jun 16, 2015 11:30 am    Post subject: Reply with quote

IMO re-creating the .pem file should be scheduled regularly, eg. via cron once per week/month or so, even if you're not paranoid.
Back to top
View user's profile Send private message
F1r31c3r
Tux's lil' helper
Tux's lil' helper


Joined: 31 Aug 2007
Posts: 94
Location: UK

PostPosted: Thu Jun 25, 2015 4:18 am    Post subject: workaround for the user Reply with quote

Hi all,

I too came across this problem and after 2 hours with my hosting provider they provided me with reassurance but nothing more.

They told me they had fixed it twice but it still did not work so i decided to disable the use of the key and force Thunderbird to use a higher encryption key.

If you go to Edit -> Preferences, then the advanced and General tab. At the bottom is a button called Config Editor. Click it and enter this then use the filter to find all ssl3 entries.

Find
Quote:
security.ssl3.dhe_rsa_aes_128_sha


and set it to false by double clicking it.

Now you will find the server is forced to use an alternative which has a more secure mechanism.

This is how i got around it, so if you are struggling with your hosting company then this is a quick work around untill you can kick them up the ass to fix it.
_________________
When i look In-between white and black i see a rainbow of colours
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum