Control: severity -1 normal On Tue, Nov 10, 2020 at 10:30 PM Francesco Potortì <poto...@isti.cnr.it> wrote: > fetchmail can no longer download mail from some servers. In the logfile > it reports: > > fetchmail: OpenSSL reported: error:141A318A:SSL > routines:tls_process_ske_dhe:dh key too small > fetchmail: SSL connection failed. > fetchmail: socket error while fetching from addr...@server.org > fetchmail: Query status=2 (SOCKET) > fetchmail: Server certificate verification error: Hostname mismatch > fetchmail: OpenSSL reported: error:141A318A:SSL > routines:tls_process_ske_dhe:dh key too small Please note what the log says. It comes from OpenSSL and _not_ from fetchmail. This is for your safety. SHA-1 algorithm is no longer supported for key signatures, RSA and DHE keys shorter than 2048 bits are no longer considered safe. The servers you get this log for fail with one or both the mentioned cases. Ask the system administrators of those servers to upgrade the used keys and signatures. I think this level of checking was first introduced with OpenSSL 1.1.1f and all applications will refuse to work if compiled with this or newer version (for example curl). If you don't mind sending your login information on an now unsecure channel, you can restore the previous behaviour. You need to edit /etc/ssl/openssl.cnf and set "CipherString = DEFAULT@SECLEVEL=2" to one instead. But then again, it's definitely NOT recommended for your security.
Regards, Laszlo/GCS
