Hi, I just upgraded my TW notebook to 20210316. Now I cannot log in to my (university) mail server via mutt anymore. I only get gnutls_handshake: The Diffie-Hellman prime sent by the server is not acceptable (not long enough). Looks some default settings have changed? But which - and how do I override it? Thanks for any hints!
Peter Suetterlin wrote:
Hi,
I just upgraded my TW notebook to 20210316. Now I cannot log in to my (university) mail server via mutt anymore. I only get
gnutls_handshake: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).
Looks some default settings have changed? But which - and how do I override it?
DH primes come in different lengths - I don't know anything about mutt, but somewhere there is bound to be a config file that also says which primes to use. -- Per Jessen, Zürich (2.1°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland.
Per Jessen wrote:
Peter Suetterlin wrote:
Hi,
I just upgraded my TW notebook to 20210316. Now I cannot log in to my (university) mail server via mutt anymore. I only get
gnutls_handshake: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).
Looks some default settings have changed? But which - and how do I override it?
DH primes come in different lengths - I don't know anything about mutt, but somewhere there is bound to be a config file that also says which primes to use.
Yeah, I'm searching. But mutt config (or version, for that matter) hasn't changed AFAICS, and woodstock:~% man -k gnutls|wc -l 1138 is a bit discouraging :P
Per Jessen wrote:
Peter Suetterlin wrote:
Hi,
I just upgraded my TW notebook to 20210316. Now I cannot log in to my (university) mail server via mutt anymore. I only get
gnutls_handshake: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).
Looks some default settings have changed? But which - and how do I override it?
DH primes come in different lengths - I don't know anything about mutt, but somewhere there is bound to be a config file that also says
... which lengths to accept. It sounds like your server is sending a 'short' one, which some setting in mutt refuses. If you google the error message, there are plenty of hits, but many are quite old. -- Per Jessen, Zürich (2.1°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland.
Per Jessen wrote:
Per Jessen wrote:
Peter Suetterlin wrote:
gnutls_handshake: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).
Looks some default settings have changed? But which - and how do I override it?
DH primes come in different lengths - I don't know anything about mutt, but somewhere there is bound to be a config file that also says
... which lengths to accept. It sounds like your server is sending a 'short' one, which some setting in mutt refuses.
If you google the error message, there are plenty of hits, but many are quite old.
Yes, did that (of course), but reports from >10 years ago are not too helpful, and so far I didn't find one that tells me where to change what :( But as I said, mutt hasn't changed, libgnutls30 has (3.6.15->3.7.1), but doesn't have *any* configuration files... :(
Peter Suetterlin wrote:
Per Jessen wrote:
Per Jessen wrote:
Peter Suetterlin wrote:
gnutls_handshake: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).
Looks some default settings have changed? But which - and how do I override it?
DH primes come in different lengths - I don't know anything about mutt, but somewhere there is bound to be a config file that also says
... which lengths to accept. It sounds like your server is sending a 'short' one, which some setting in mutt refuses.
If you google the error message, there are plenty of hits, but many are quite old.
Yes, did that (of course), but reports from >10 years ago are not too helpful, and so far I didn't find one that tells me where to change what :(
Sorry, yeah I agree, thought I would mention it anyway.
But as I said, mutt hasn't changed, libgnutls30 has (3.6.15->3.7.1), but doesn't have *any* configuration files...
Guessing wildly - so somehow the TLS library increased the minimum standards, and requires longer DH primes, probably 1024. I know this is a cop-out, but maybe contact university IT support and ask them? For e.g. postfix and dovecot, we have DH primes length 512, 1024 and 2048, rebuilt every day. -- Per Jessen, Zürich (0.6°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland.
Per Jessen wrote:
Sorry, yeah I agree, thought I would mention it anyway.
Was no accuse. Thanks for sharing my pain ;^>
Guessing wildly - so somehow the TLS library increased the minimum standards, and requires longer DH primes, probably 1024.
Yes, guessed that, but so far I fail finding how to override it. Will continue tomorrow, I have some nightwork to do now :)
I know this is a cop-out, but maybe contact university IT support and ask them?
Yep, also tomorrow. Guess others will fall across that, too, sooner or later. Thanks again!
On Wed, 17 Mar 2021 20:24:14 +0000 Peter Suetterlin <pit@astro.su.se> wrote:
Per Jessen wrote:
Sorry, yeah I agree, thought I would mention it anyway.
Was no accuse. Thanks for sharing my pain ;^>
Guessing wildly - so somehow the TLS library increased the minimum standards, and requires longer DH primes, probably 1024.
Yes, guessed that, but so far I fail finding how to override it. Will continue tomorrow, I have some nightwork to do now :)
I know this is a cop-out, but maybe contact university IT support and ask them?
Yep, also tomorrow. Guess others will fall across that, too, sooner or later. Thanks again!
first hit search for mutt tls prime length is http://www.mutt.org/doc/manual/ and searching it for prime immediately finds 3.362. ssl_min_dh_prime_bits Type: number Default: 0 This variable specifies the minimum acceptable prime size (in bits) for use in any Diffie-Hellman key exchange. A value of 0 will use the default from the GNUTLS library. (GnuTLS only) which would suggest setting an explicit value there. second hit for gnutls prime length is https://gnutls.org/faq.html and the first FAQ is a suggested workaround
Dave Howorth wrote:
first hit search for mutt tls prime length is
http://www.mutt.org/doc/manual/
and searching it for prime immediately finds
3.362. ssl_min_dh_prime_bits
Type: number Default: 0
This variable specifies the minimum acceptable prime size (in bits) for use in any Diffie-Hellman key exchange. A value of 0 will use the default from the GNUTLS library. (GnuTLS only)
Nice find, Dave! -- Per Jessen, Zürich (1.5°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland.
Dave Howorth wrote:
On Wed, 17 Mar 2021 20:24:14 +0000
first hit search for mutt tls prime length is
http://www.mutt.org/doc/manual/
and searching it for prime immediately finds
3.362. ssl_min_dh_prime_bits
Type: number Default: 0
This variable specifies the minimum acceptable prime size (in bits) for use in any Diffie-Hellman key exchange. A value of 0 will use the default from the GNUTLS library. (GnuTLS only)
which would suggest setting an explicit value there.
Aah! You're a hero! Thank you so much! Took a moment to find the proper value, and where to set it, but I now added "ssl_min_dh_prime_bits=1008" to the preconnect settings for this server, and can properly connact again! You saved my day.
second hit for gnutls prime length is
and the first FAQ is a suggested workaround
Yes, I found that, but had no idea(*) how to use/set "NORMAL:-DHE-RSA" as a priority string :P But at least I got the (old?) default of 1008 that I now use from that FAQ. (*) Yes, I'm sort-of a mail noob.
Hello, On Thu, 18 Mar 2021, Peter Suetterlin wrote:
Yes, I found that, but had no idea(*) how to use/set "NORMAL:-DHE-RSA" as a priority string :P
https://www.gnutls.org/manual/html_node/System_002dwide-configuration-of-the... and the ones linked at the bottom, e.g.: https://www.gnutls.org/manual/html_node/Application_002dspecific-priority-st... https://www.gnutls.org/manual/html_node/Overriding-the-parameter-verificatio... HTH, -dnh -- Documentation: Cryptic, lacking, erroneous. Pick any three.
On Friday, 19 March 2021 5:20:39 ACDT David Haller wrote:
Hello,
On Thu, 18 Mar 2021, Peter Suetterlin wrote:
Yes, I found that, but had no idea(*) how to use/set "NORMAL:-DHE-RSA" as a priority string :P
https://www.gnutls.org/manual/html_node/System_002dwide-configuration-of-the -library.html and the ones linked at the bottom, e.g.: https://www.gnutls.org/manual/html_node/Application_002dspecific-priority-st rings.html https://www.gnutls.org/manual/html_node/Overriding-the-parameter-verificati on-profile.html
HTH, -dnh
So now I'm having the same problem with Kmail Version 5.16.3 (20.12.3). The GnuTLS docs suggest /etc/gnutls/config but that does not exist on TW, and I can't find any config parameter for Kmail. Any ideas, anyone? -- ============================================================== Rodney Baker VK5ZTV rodney.baker@iinet.net.au CCNA #CSCO12880208 ==============================================================
On Thu, Mar 25, 2021 at 11:29:54PM +1030, Rodney Baker wrote:
On Friday, 19 March 2021 5:20:39 ACDT David Haller wrote:
Hello,
On Thu, 18 Mar 2021, Peter Suetterlin wrote:
Yes, I found that, but had no idea(*) how to use/set "NORMAL:-DHE-RSA" as a priority string :P
https://www.gnutls.org/manual/html_node/System_002dwide-configuration-of-the -library.html and the ones linked at the bottom, e.g.: https://www.gnutls.org/manual/html_node/Application_002dspecific-priority-st rings.html https://www.gnutls.org/manual/html_node/Overriding-the-parameter-verificati on-profile.html
HTH, -dnh
So now I'm having the same problem with Kmail Version 5.16.3 (20.12.3). The GnuTLS docs suggest /etc/gnutls/config but that does not exist on TW, and I can't find any config parameter for Kmail. Any ideas, anyone?
IS your mailserver not supporting TLS 1.2? you can try switching the gnutls/openssl to legacy mode: update-crypto-policies --set LEGACY Ciao, Marcus
On Friday, 26 March 2021 1:47:53 ACDT Marcus Meissner wrote:
On Thu, Mar 25, 2021 at 11:29:54PM +1030, Rodney Baker wrote:
On Friday, 19 March 2021 5:20:39 ACDT David Haller wrote:
Hello,
On Thu, 18 Mar 2021, Peter Suetterlin wrote:
Yes, I found that, but had no idea(*) how to use/set "NORMAL:-DHE-RSA" as a priority string :P
https://www.gnutls.org/manual/html_node/System_002dwide-configuration-of -the -library.html and the ones linked at the bottom, e.g.: https://www.gnutls.org/manual/html_node/Application_002dspecific-priorit y-st rings.html https://www.gnutls.org/manual/html_node/Overriding-the-parameter-verific ati on-profile.html
HTH, -dnh
So now I'm having the same problem with Kmail Version 5.16.3 (20.12.3). The GnuTLS docs suggest /etc/gnutls/config but that does not exist on TW, and I can't find any config parameter for Kmail. Any ideas, anyone?
IS your mailserver not supporting TLS 1.2?
you can try switching the gnutls/openssl to legacy mode:
update-crypto-policies --set LEGACY
Ciao, Marcus
Awesome, thanks, Marcus! I had to use 'cnf update-crypto-policies' and then install crypto-policy-scripts first, but then it worked and fixed the issue. So, I guess the answer to your question is, "No, it appears iiNet's smtp servers are not yet supporting TLS1.2." That will be the subject of a technical support request to my ISP to get them to fix it. Unfortunately I doubt that the first-level tech support monkeys will have any idea what to do about that. Hopefully they have enough initiative to escalate it to the right group. Regards, Rodney. -- ============================================================== Rodney Baker VK5ZTV rodney.baker@iinet.net.au CCNA #CSCO12880208 ==============================================================
Hi, On Wed, Mar 17, 2021 at 06:51:45PM +0000, Peter Suetterlin wrote:
Hi,
I just upgraded my TW notebook to 20210316. Now I cannot log in to my (university) mail server via mutt anymore. I only get
gnutls_handshake: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).
Looks some default settings have changed? But which - and how do I override it?
Thanks for any hints!
Cause is likely that we introduced crypto-policies , so far for gnutls and openssl, more to follow. The new default crypto policies has higher requirements than the gnutls standard before. in this case try: update-crypto-policies --set LEGACY and see if it helps. Perhaps also tell your university to upgrade the DH parameters on their mailserver. Ciao, Marcus
participants (6)
-
Dave Howorth -
David Haller -
Marcus Meissner -
Per Jessen -
Peter Suetterlin -
Rodney Baker