The problem is that Thunderbird 0.7.3 fails to generate an ephemeal DH key larger than 1024 bits with error SEC_ERROR_KEYGEN_FAIL (-8092) returned by NSS module.
Congratulation ! You have found something that strongly looks like a regression that is present on SSL connexion for all mozilla.org products since the timeframe between the release of Mozilla 1.5 and of Mozilla 1.6, ie mz 1.5 is able to connect using EDH-RSA-DES-CBC3-SHA, and mz 1.6 gives the -8092 error.
It seems likely this regression is inside NSS.
# On the same host where you run Thunderbird, do the following: openssl dhparam -out dhparam-2048 2048
# this will take 5 mins on Pentium 3Ghz
It's a looooong time, I believe very few people are doing this as it's not the default option of openssl (and other toolkit will not escape the fact such a key is very long to generate), so I think most any EDH connexion have the default of using a 'weak' 1024 DH key.
This explains nobody saw the problem before you. _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
