[PLUG] Thunderbird 38.1.0 and insecure cyphers (Logjam)

Greg Helledy on 22 Jul 2015 11:00:36 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Thunderbird 38.1.0 and insecure cyphers (Logjam)

From: Greg Helledy <gregsonh@gra-inc.com>
To: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Subject: [PLUG] Thunderbird 38.1.0 and insecure cyphers (Logjam)
Date: Wed, 22 Jul 2015 14:00:35 -0400
Organization: GRA, Incorporated
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0

Thunderbird 38.1 was recently released and many users are set toauto-update to new versions. Those who did could no longer connect toour mail server.

Apparently the new version of Thunderbird performs a test for weak SSLkeys to to protect people from the Logjam vulnerability.

https://weakdh.org/

The T-bird error console says "SSE received a weak ephemeralDiffie-Hellman key in Server Key Exchange handshake message".

I've confirmed that we have a 2,048 bit key, so the implication is thatour software is set to allow an export-grade "cypher suite",downgrading our 2,048-bit key to 512 bits. Note that this key is notone we generated, but is provided by the VPS hosting company.

I've gone into the management console and the "IMAP TLS/SSL Cipher List"had the following:


ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

Which should be fine because it disables export-grade suites. I added acouple of things to specifically disable ephemeral Diffie-Hellman:


ALL:!ADH:!kDHE:!DHE:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

Clicking on save restarts the IMAP server. However, T-Bird is *still*reporting the same error. I'm left to conclude that either:1. The config shown in the VPS management GUI is not in fact what'sapplied to the running software, or

2.  There's something wrong with this T-bird release.

I wanted to get an independent confirmation of whether our server isvulnerable, but the Qualsys SSL tool says "Ports other than 443 notsupported" when I try to point it at our mail server at port 993. Ourwebserver, running Apache, is fine. Is there an online tool for mailservers?

In case it's not obvious, I am NOT knowledgeable about crypto. Would anext step be to find the config file for the IMAP server (Courier) wherethe cypher list is stored?


Anyone else having this kind of issue?

--
Greg Helledy
GRA, Incorporated
P:  +1 215-884-7500
F:  +1 215-884-1385
www.gra.aero
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] Thunderbird 38.1.0 and insecure cyphers (Logjam)
  - From: Rachel Rawlings <rachelneko@gmail.com>
- Re: [PLUG] Thunderbird 38.1.0 and insecure cyphers (Logjam)
  - From: "Keith C. Perry" <kperry@daotechnologies.com>

Prev by Date: Re: [PLUG] FOSSCon? (Rich Mingin (PLUG))
Next by Date: Re: [PLUG] FOSSCon installfest
Previous by thread: Re: [PLUG] FOSSCon? (Rich Mingin (PLUG))
Next by thread: Re: [PLUG] Thunderbird 38.1.0 and insecure cyphers (Logjam)
Index(es):
- Date
- Thread