1. Forum
  2. Usenet
  3. LINUX.GENTOO.USER

  • Re: [gentoo-user] fetchmail: OpenSSL reported: error:0A00018A:SSL routi

    From Michael@21:1/5 to All on Sat Oct 26 18:47:49 2024
    On Saturday 26 October 2024 18:14:17 BST Walter Dnes wrote:
    My personal domain inbound email is directed to COTSE.net. I pull
    with fetchmail. After yesterday's world update, fetchmail has been
    failing with the error message in the subject. I can still access my incoming email via webmail mode (BLEAGH!!!). I've set my gmail address
    to forward directly to my ISP inbox, avoiding this problem.

    It seems that the latest openssl has ratcheted up their "security
    level". After "asking Mr. Google", I tried the answer at... https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-se curity-level which doesn't work for me.

    DH primes of a low value are vulnerable to brute force attacks. OpenSSL respond to real life threat models for a reason, e.g.:

    https://weakdh.org/


    I also tried reverting to the previous version of openssl. That
    failed because...

    This is not advisable, at least it is not advisable from a security perspective.


    * the latest "curl" requires the latest openssl

    * a whole bunch of apps in my "world" now require the latest "curl"

    I also tried...

    * USE="-ssl" emerge fetchmail # results in authorization failure

    * USE="weak-ssl-ciphers" emerge openssl # doesn't help

    Any ideas? Webmail sucks!

    You can check the TLS Certificate chain used by COTSE.net mail server, e.g.:

    openssl s_client -connect mail.cotse.net\:993 -crlf -starttls imap -showcerts

    If these guys are still using deprecated TLS versions, you can ask them to upgrade their SSL/TLS libraries and perhaps their OS - what other deprecated/ unpatched software are they running?

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCAAdFiEEXqhvaVh2ERicA8Ceseqq9sKVZxkFAmcdK0UACgkQseqq9sKV ZxmSIQ//V4s2YdPxvUp8eDqt+g6n+p29ON0X1ZonxyEjyWxwPnQf9HxGxwZ/STIs 5oTRdCCzC3Ai8dokA3dNyPSxPKf+vP+uHDbxR0tkFIyKF+BQigI+OpX05h0kahWP H2HMwUWHWZ0wlnEj2vqlRxjQxuPC1jKg8YjSNHqPjQoDeE95J5/1MOLd0Wo4qVLS 84RIHg+gxb/CBbG3gDH+cHIrpATA6Zu6LvuLyvzWMesGvWVm3sElDUYTyaks2JLw dc90tcIExxb0Ka2fL8qAe0ad2J5PUxF41yHeYgO8e76o8/8XMtAFyQUvYixM61Nv LUTR9Tc9c1dQ8+NEO/4CCxr2I7veJVrC9RjDs4KQ3/uo/k8KUQMYTQK6WD3gJbjV H6b1q0GHlGRjlIQC0BjL1udMe8ou2epXtfpi+bQoeUFmPU5Jmj5+2i3LfxnKHST5 JQ5znlhMSbb6Xen7M05VxuCOrMXmqZHzSlFHtt33ttmcZ1nDV5f9uFEhV4k4nMS3 bagio5DnI8LFE35y8KQjizsqs6YHkzfE8NSacLbVAbPzewnb5R73tEcxFkXJEV1R oYBNt1KXKsHwlFuyYbMc5+mRTT5VK17jlOpF7rAEyGdwWm5lWo9/nrh0SPqX2sTJ 3PSX/55vpXOF0H66PQgQDm2IJybhOC3LlZ3/g9RouECcksRlYCc=
    =YLat
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)