On Thursday, October 1, 2020 7:50:49 AM CEST Lumír Balhar wrote:
> I've upgraded to Fedora 33 beta and I've discovered a problem with 
> Thunderbird. All email accounts work well except the Red Hat one with 
> mail.corp.redhat.com as an IMAP server (I use Zimbra servers not Gmail).

I asked a few days back if the crypto on the mail server could be updated to
comply with F33 (internal ticket INC1447620).

Pavel

> The problem is that Thunderbird does not show any error message but it's 
> not able to communicate with the IMAP server. I'm not able to receive 
> any message from the server. I'm able to send a message but a copy is 
> then not saved to sent folder for the same reason. My first thought was 
> that the problem is caused by a downgrade from 68.11 to 68.10 because 
> Thunderbird currently FTBFS in Fedora 33 but it does not seem to be so. 
> I've also tried to remove the account and add it back but it did not 
> help because I was no longer able to log in to my account without any 
> particular error message. I've also tried to delete the server's 
> certificates.
> 
> The problem seems to be caused by strict crypto policies in Fedora 33 
> and too small DH key provided by the server.
> 
> $ update-crypto-policies --show
> DEFAULT
> 
> $ openssl s_client -showcerts -connect mail.corp.redhat.com:993 
> -servername mail.corp.redhat.com
> CONNECTED(00000003)
> depth=3 C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", 
> OU = Red Hat IT, CN = Red Hat IT Root CA, emailAddress = info...@redhat.com
> verify return:1
> depth=2 O = Red Hat, OU = prod, CN = Intermediate Certificate Authority
> verify return:1
> depth=1 O = Red Hat, OU = prod, CN = Certificate Authority
> verify return:1
> depth=0 C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU = 
> Information Technology, emailAddress = serviced...@redhat.com, CN = 
> mail.corp.redhat.com
> verify return:1
> 139893557032768:error:141A318A:SSL routines:tls_process_ske_dhe:dh key 
> too small:ssl/statem/statem_clnt.c:2149:
> ---
> 
> $ sudo update-crypto-policies --set LEGACY
> Setting system policy to LEGACY
> Note: System-wide crypto policies are applied on application start-up.
> It is recommended to restart the system for the change of policies
> to fully take place.
> 
> openssl s_client -showcerts -connect mail.corp.redhat.com:993 
> -servername mail.corp.redhat.com
> CONNECTED(00000003)
> depth=3 C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", 
> OU = Red Hat IT, CN = Red Hat IT Root CA, emailAddress = info...@redhat.com
> verify return:1
> depth=2 O = Red Hat, OU = prod, CN = Intermediate Certificate Authority
> verify return:1
> depth=1 O = Red Hat, OU = prod, CN = Certificate Authority
> verify return:1
> depth=0 C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU = 
> Information Technology, emailAddress = serviced...@redhat.com, CN = 
> mail.corp.redhat.com
> verify return:1
> ---
> ... <certificates chain> ...
> ---
> * OK IMAP4 ready
> 
> As you can see above, the DH key provided by the server is too small so 
> the SSL verification fails. Setting the crypto policies to LEGACY solves 
> the issue for me and I am again able to recreate my Red Hat account in 
> Thunderbird.
> 
> Hope this helps. I'm going to report this problem to service desk.
> 
> Lumír
> _______________________________________________
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> 



_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org

Reply via email to