Thanks David for your response, unfortunately I don't understand how to
connect the dots... Taking a wild guess I suspect that in order to
"disable support for export cipher suites and use a 2048-bit
Diffie-Hellman group" I must make some sort of changes in the
server-sockets group in the James config.xml file? But I cannot find any
documentation showing me what all the parameters and their possible
values mean or what options I need to choose from. Can you (or anyone
else) shine more light on what path I need to follow or provide me with
a cookbook set of instructions? Thanks again in advance...
Marc...
P.S. The section I am referring to, in config.xml looks like this....
<sockets>
<server-sockets>
<factory name="plain"
class="org.apache.avalon.cornerstone.blocks.sockets.DefaultServerSocketFactory"/>
<!-- -->
<factory name="ssl"
class="org.apache.avalon.cornerstone.blocks.sockets.TLSServerSocketFactory">
<ssl-factory>
<keystore>
<file>conf/keystore</file>
<password>mypassword</password>
<key-password>mypassword</key-password>
<type>JKS</type>
<protocol>TLS</protocol>
<algorithm>SunX509</algorithm>
<authenticate-client>false</authenticate-client>
</keystore>
</ssl-factory>
</factory>
<!-- -->
</server-sockets>
<client-sockets>
<factory name="plain"
class="org.apache.avalon.cornerstone.blocks.sockets.DefaultSocketFactory"/>
</client-sockets>
</sockets>
On 12/28/2015 05:59 AM, David Legg wrote:
Hi Marc,
I think you are running into the consequences of a recently exposed
certificate security issue. The "Logjam" attack is an example of the
threat in action.
I believe that as a result of this issue the industry (notably Google
and Mozilla) have updated software and servers to reject certificates it
doesn't consider secure enough. For Thunderbird see here:
https://support.mozilla.org/en-US/kb/thunderbird-and-logjam
The problem is explained more fully here: https://weakdh.org/
I think as a minimum you will have to update your version of OpenSSH if
that is what you are using and maybe disable support for export cipher
suites and use a 2048-bit Diffie-Hellman group.
Regards,
David Legg
On 28/12/15 04:22, Marc Chamberlin wrote:
Hi - I am running a James 2.3.2 server on OpenSuSE12.3 and am running
into an issue with using TLS/SSL connections. In particular clients
using Mozilla Thunderbird can no longer connect on those ports to pick
up or send emails. (This use to work fine and I have not changed my
James configuration file. I just now updated my keystore file but that
made no difference. Thunderbird issues a complaint -
SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange
handshake message.
(Error code: ssl_error_weak_server_ephemeral_dh_key)
Anyone got any ideas on what one is to do to solve this issue? Thanks in
advance... Marc...
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org
For additional commands, e-mail: server-user-h...@james.apache.org
--
"The Truth is out there" - Spooky
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org
For additional commands, e-mail: server-user-h...@james.apache.org
