DHE_EXPORT ciphers and Ispconfig

Discussion in 'Installation/Configuration' started by tsapi, Jul 18, 2015.

  1. tsapi

    tsapi New Member HowtoForge Supporter

    After upgrading my Thunderbird to version 38.1.0, it couldn't "speak" with my mail server (debian 8 , ispconfig - everything freshly updated). In the error console of Thunderbird the error reported was:
    "Error: An error occurred during a connection to mail.blahblah.gr:143.
    SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.
    (Error code: ssl_error_weak_server_ephemeral_dh_key)".
    The whole story has to do with weaknesses of the TLS protocol (https://weakdh.org/ )
    The easy workaround is to make a couple of configuration changes in Thunderbird, as described here http://forums.mozillazine.org/viewt...id=26db6c9cd3c3321aaec6ecb3e176d19f#p14239367
    The real solution would be to configure at the side of the server all TLS-dependent services not to use the "weak" DHE_EXPORT ciphers.
    Is anyone aware of what configuration changes need to be done?
    As lots of people are using thunderbird, this problem is going to affect lots of ISPConfig installations in the next days..
    Last edited: Jul 19, 2015
  2. till

    till Super Moderator Staff Member ISPConfig Developer

  3. tsapi

    tsapi New Member HowtoForge Supporter

    There are some differences between what described in the message and waht I actually did (had to do):
    1. in
    the actual config line is
    SSLProtocol all -SSLv3
    and I edited it to
    SSLProtocol all -SSLv2 -SSLv3
    2. in
    should the configuration entry be
    , and NOT
    (as mentioned in the message)? If my assumption is correct, then the message (instructions) should maybe edited to avoid misunderstandings.

    Anyway, I made all the changes described in the message, but Thunderbird still doesn't "work", with the same error message.

  4. tsapi

    tsapi New Member HowtoForge Supporter

Share This Page