Keith C. Perry on 22 Jul 2015 12:24:40 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] Thunderbird 38.1.0 and insecure cyphers (Logjam) |
Would testing with another mail client be helpful? Eudora or Zimbra Desktop should work enough for you to confirm the quality of the certificate. Some iptables rules might help you test with the Qualsys SSL tool (i.e. port forward 443 to 993) --- KP- On Jul 22, 2015 2:00 PM, Greg Helledy <gregsonh@gra-inc.com> wrote: > > Thunderbird 38.1 was recently released and many users are set to > auto-update to new versions. Those who did could no longer connect to > our mail server. > > Apparently the new version of Thunderbird performs a test for weak SSL > keys to to protect people from the Logjam vulnerability. > https://weakdh.org/ > > The T-bird error console says "SSE received a weak ephemeral > Diffie-Hellman key in Server Key Exchange handshake message". > > I've confirmed that we have a 2,048 bit key, so the implication is that > our software is set to allow an export-grade "cypher suite", > downgrading our 2,048-bit key to 512 bits. Note that this key is not > one we generated, but is provided by the VPS hosting company. > > I've gone into the management console and the "IMAP TLS/SSL Cipher List" > had the following: > > ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP > > Which should be fine because it disables export-grade suites. I added a > couple of things to specifically disable ephemeral Diffie-Hellman: > > ALL:!ADH:!kDHE:!DHE:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP > > Clicking on save restarts the IMAP server. However, T-Bird is *still* > reporting the same error. I'm left to conclude that either: > 1. The config shown in the VPS management GUI is not in fact what's > applied to the running software, or > 2. There's something wrong with this T-bird release. > > I wanted to get an independent confirmation of whether our server is > vulnerable, but the Qualsys SSL tool says "Ports other than 443 not > supported" when I try to point it at our mail server at port 993. Our > webserver, running Apache, is fine. Is there an online tool for mail > servers? > > In case it's not obvious, I am NOT knowledgeable about crypto. Would a > next step be to find the config file for the IMAP server (Courier) where > the cypher list is stored? > > Anyone else having this kind of issue? > > -- > Greg Helledy > GRA, Incorporated > P: +1 215-884-7500 > F: +1 215-884-1385 > www.gra.aero > ___________________________________________________________________________ > Philadelphia Linux Users Group -- http://www.phillylinux.org > Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce > General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug