Re: [qmailtoaster] dh key too small
Problem solved. My crypto policies were set to DEFAULT. Changing them to LEGACY and rebooting fixed the issue. Thank you xaf and Eric. Angus xaf wrote on 12/17/20 4:07 AM: Angus McIntyre a écrit le 16/12/2020 à 21:10 : 2048 bits ought to be enough, I would think. Most of the references to this problem that I was able to find suggested that it kicked in at 768 bits and smaller. So maybe it's the remote server. The remote is e4.echonyc.com (108.60.149.50). openssl s_client -connect e4.echonyc.com:993 -cipher "DH" | grep "Server Temp Key" Server Temp Key: DH, 1024 bits what gives update-crypto-policies --show should show LEGACY if not update-crypto-policies --set LEGACY and reboot xaf - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] dh key too small
# openssl s_client -crlf -connect e4.echonyc.com:25 -starttls smtp -cert /var/qmail/control/servercert.pem |grep DH depth=3 C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services verify return:1 depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA verify return:1 depth=0 CN = echonyc.com verify return:1 250 DSN jECbYvbeKEYxcQPMDHortQ4ehEWnJJ5fnUb5qNSCQSACgRRp0g5vLhyU5wcCkHml Server Temp Key: DH, 1024 bits New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 Cipher : DHE-RSA-AES256-GCM-SHA384 quit On 12/17/2020 2:07 AM, xaf wrote: openssl s_client -connect e4.echonyc.com:993 -cipher "DH" - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] dh key too small
Angus McIntyre a écrit le 16/12/2020 à 21:10 : > 2048 bits ought to be enough, I would think. Most of the references to > this problem that I was able to find suggested that it kicked in at 768 > bits and smaller. So maybe it's the remote server. > > The remote is e4.echonyc.com (108.60.149.50). openssl s_client -connect e4.echonyc.com:993 -cipher "DH" | grep "Server Temp Key" Server Temp Key: DH, 1024 bits what gives update-crypto-policies --show should show LEGACY if not update-crypto-policies --set LEGACY and reboot xaf - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com