Rachel Rawlings on 22 Jul 2015 12:16:41 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Thunderbird 38.1.0 and insecure cyphers (Logjam)

The weakdh site has cipher suite recommendations for a number of mail and web servers at https://weakdh.org/sysadmin.html. This is the first place to compare your suites. The one for Firefox is very long and hard to read, so I trimmed it down to

   SSLCipherSuite TLSv1:+SHA256:+HIGH:!MD5:!eNULL:!aNULL:!LOW:!EXPORT

You may need to pay extra attention to step 3, generating your own Diffie-Hillman group rather than relying on one that's been installed by your package manager. To do this, use opennsl:

   openssl dhparam -out dhparams.pem 2048

Also, confirm that your key is not using SHA1, since this has also been deprecated and is being complained about by both firefox and chromium.



On Jul 22, 2015 2:00 PM, "Greg Helledy" <gregsonh@gra-inc.com> wrote:
Thunderbird 38.1 was recently released and many users are set to auto-update to new versions.  Those who did could no longer connect to our mail server.

Apparently the new version of Thunderbird performs a test for weak SSL keys to to protect people from the Logjam vulnerability.
https://weakdh.org/

The T-bird error console says "SSE received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message".

I've confirmed that we have a 2,048 bit key, so the implication is that  our software is set to allow an export-grade "cypher suite", downgrading our 2,048-bit key to 512 bits.  Note that this key is not one we generated, but is provided by the VPS hosting company.

I've gone into the management console and the "IMAP TLS/SSL Cipher List" had the following:

ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

Which should be fine because it disables export-grade suites.  I added a couple of things to specifically disable ephemeral Diffie-Hellman:

ALL:!ADH:!kDHE:!DHE:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

Clicking on save restarts the IMAP server.  However, T-Bird is *still* reporting the same error.  I'm left to conclude that either:
1.  The config shown in the VPS management GUI is not in fact what's applied to the running software, or
2.  There's something wrong with this T-bird release.

I wanted to get an independent confirmation of whether our server is vulnerable, but the Qualsys SSL tool says "Ports other than 443 not supported" when I try to point it at our mail server at port 993.  Our webserver, running Apache, is fine.  Is there an online tool for mail servers?

In case it's not obvious, I am NOT knowledgeable about crypto.  Would a next step be to find the config file for the IMAP server (Courier) where the cypher list is stored?

Anyone else having this kind of issue?

--
Greg Helledy
GRA, Incorporated
P:  +1 215-884-7500
F:  +1 215-884-1385
www.gra.aero
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug