| I've upgraded to Fedora 33 beta and I've discovered a problem with | Thunderbird. All email accounts work well except the Red Hat one with | mail.corp.redhat.com as an IMAP server (I use Zimbra servers not Gmail). | | The problem is that Thunderbird does not show any error message but it's not | able to communicate with the IMAP server. I'm not able to receive any | message from the server. I'm able to send a message but a copy is then not | saved to sent folder for the same reason. My first thought was that the | problem is caused by a downgrade from 68.11 to 68.10 because Thunderbird | currently FTBFS in Fedora 33 but it does not seem to be so. I've also tried | to remove the account and add it back but it did not help because I was no | longer able to log in to my account without any particular error message. | I've also tried to delete the server's certificates. | | The problem seems to be caused by strict crypto policies in Fedora 33 and | too small DH key provided by the server. | | $ update-crypto-policies --show | DEFAULT | | $ openssl s_client -showcerts -connect mail.corp.redhat.com:993 -servername | mail.corp.redhat.com | CONNECTED(00000003) | depth=3 C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", OU = | Red Hat IT, CN = Red Hat IT Root CA, emailAddress = info...@redhat.com | verify return:1 | depth=2 O = Red Hat, OU = prod, CN = Intermediate Certificate Authority | verify return:1 | depth=1 O = Red Hat, OU = prod, CN = Certificate Authority | verify return:1 | depth=0 C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU = | Information Technology, emailAddress = serviced...@redhat.com, CN = | mail.corp.redhat.com | verify return:1 | 139893557032768:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too | small:ssl/statem/statem_clnt.c:2149: | --- | | $ sudo update-crypto-policies --set LEGACY | Setting system policy to LEGACY | Note: System-wide crypto policies are applied on application start-up. | It is recommended to restart the system for the change of policies | to fully take place. | | openssl s_client -showcerts -connect mail.corp.redhat.com:993 -servername | mail.corp.redhat.com | CONNECTED(00000003) | depth=3 C = US, ST = North Carolina, L = Raleigh, O = "Red Hat, Inc.", OU = | Red Hat IT, CN = Red Hat IT Root CA, emailAddress = info...@redhat.com | verify return:1 | depth=2 O = Red Hat, OU = prod, CN = Intermediate Certificate Authority | verify return:1 | depth=1 O = Red Hat, OU = prod, CN = Certificate Authority | verify return:1 | depth=0 C = US, ST = North Carolina, L = Raleigh, O = Red Hat, OU = | Information Technology, emailAddress = serviced...@redhat.com, CN = | mail.corp.redhat.com | verify return:1 | --- | ... <certificates chain> ... | --- | * OK IMAP4 ready | | As you can see above, the DH key provided by the server is too small so the | SSL verification fails. Setting the crypto policies to LEGACY solves the | issue for me and I am again able to recreate my Red Hat account in | Thunderbird. | | Hope this helps. I'm going to report this problem to service desk.
Same thing applies to mutt. I've filed this bz:
https://bugzilla.redhat.com/show_bug.cgi?id=1883976
Harish
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
