On Saturday 26 October 2024 18:14:17 BST Walter Dnes wrote: > My personal domain inbound email is directed to COTSE.net. I pull > with fetchmail. After yesterday's world update, fetchmail has been > failing with the error message in the subject. I can still access my > incoming email via webmail mode (BLEAGH!!!). I've set my gmail address > to forward directly to my ISP inbox, avoiding this problem. > > It seems that the latest openssl has ratcheted up their "security > level". After "asking Mr. Google", I tried the answer at... > https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-se > curity-level which doesn't work for me.
DH primes of a low value are vulnerable to brute force attacks. OpenSSL respond to real life threat models for a reason, e.g.: https://weakdh.org/ > I also tried reverting to the previous version of openssl. That > failed because... This is not advisable, at least it is not advisable from a security perspective. > * the latest "curl" requires the latest openssl > > * a whole bunch of apps in my "world" now require the latest "curl" > > I also tried... > > * USE="-ssl" emerge fetchmail # results in authorization failure > > * USE="weak-ssl-ciphers" emerge openssl # doesn't help > > Any ideas? Webmail sucks! You can check the TLS Certificate chain used by COTSE.net mail server, e.g.: openssl s_client -connect mail.cotse.net\:993 -crlf -starttls imap -showcerts If these guys are still using deprecated TLS versions, you can ask them to upgrade their SSL/TLS libraries and perhaps their OS - what other deprecated/ unpatched software are they running?
signature.asc
Description: This is a digitally signed message part.
