|Greg Helledy on 22 Jul 2015 11:00:36 -0700|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|[PLUG] Thunderbird 38.1.0 and insecure cyphers (Logjam)|
Apparently the new version of Thunderbird performs a test for weak SSL keys to to protect people from the Logjam vulnerability.
https://weakdh.org/The T-bird error console says "SSE received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message".
I've confirmed that we have a 2,048 bit key, so the implication is that our software is set to allow an export-grade "cypher suite", downgrading our 2,048-bit key to 512 bits. Note that this key is not one we generated, but is provided by the VPS hosting company.
I've gone into the management console and the "IMAP TLS/SSL Cipher List" had the following:
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXPWhich should be fine because it disables export-grade suites. I added a couple of things to specifically disable ephemeral Diffie-Hellman:
ALL:!ADH:!kDHE:!DHE:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXPClicking on save restarts the IMAP server. However, T-Bird is *still* reporting the same error. I'm left to conclude that either: 1. The config shown in the VPS management GUI is not in fact what's applied to the running software, or
2. There's something wrong with this T-bird release.I wanted to get an independent confirmation of whether our server is vulnerable, but the Qualsys SSL tool says "Ports other than 443 not supported" when I try to point it at our mail server at port 993. Our webserver, running Apache, is fine. Is there an online tool for mail servers?
In case it's not obvious, I am NOT knowledgeable about crypto. Would a next step be to find the config file for the IMAP server (Courier) where the cypher list is stored?
Anyone else having this kind of issue? -- Greg Helledy GRA, Incorporated P: +1 215-884-7500 F: +1 215-884-1385 www.gra.aero ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug