Hi Leandro, On 2016-02-06 at 17:40, Leandro Noferini wrote: > My imap server is courier with an selfsigned certificate and it worked > fine for many years but some days ago it began to give me this error: > > (...) > > ERROR: Unknown SSL protocol connecting to host 'bbs.cybervalley.org' for > repository 'RemotoBBs'. OpenSSL responded: > [SSL: SSL_NEGATIVE_LENGTH] dh key too small (_ssl.c:590) > > (...) > > What could be the error?
OpenSSL has issued a change to protect from known vulnerability. You can read more here: https://weakdh.org/ https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ In short, the IMAP server (or another SSL service) uses Diffie-Hellman (dh) protocol to establish keys for communication. A weakness in the protocol has been found if a short key for dh is used. So OpenSSL issued a patch which in effect disallows connections to the servers with weak dh key. You can check if your IMAP server is vulnerable with the command: $ openssl s_client -connect $SERVER:imaps -cipher "EDH" | grep "Server Temp Key" Where $SERVER is the hostname of your IMAP server. If the result shows 768 bits or less then OpenSSL (and OfflineIMAP effectively) will refuse to connect. Soon, 1024 bits will also be treated as too weak and refused. I think in this situation, only the IMAP server admin can aid. Even if there were some action possible on the client side, it would be at a cost of lower security. Best regards, Tomasz _______________________________________________ OfflineIMAP-project mailing list: [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/offlineimap-project OfflineIMAP homepages: - https://github.com/OfflineIMAP - http://offlineimap.org
