Bug#787505: libnss3: NSS 3.19.1 breaks icedove IMAPS to server with DH 786 temp key
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Jun 2 13:35:15 UTC 2015
On Tue 2015-06-02 06:45:25 -0400, Ben Caradoc-Davies wrote:
> since upgrade to NSS 3.19.1, icedove refuses to connect to an IMAPS server with
> a "Server Temp Key: DH, 768 bits". Workaround is to downgrade to NSS 3.19 or
> change icedove connection to unencrypted IMAP.
>
> To protect against logjam attacks, NSS 3.19.1 refuses to connect to servers
> with a finite field algorithm key strength less than 1023 bits:
> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.19.1_release_notes
>
> This behaviour breaks icedove on Debian clients that need to connect to IMAPS
> servers with weak server temp keys. Note that these are clients which have no
> control over configuration of remote servers. Workaround is to downgrade to NSS
> 3.19 or change icedove connection to unencrypted IMAP.
This sounds like a feature, not a bug, because it means that users are
now aware that their "secure" imap connections are probably not what
they expect.
Are these IMAP servers in the wild? Could you point me to them?
--dkg
More information about the pkg-mozilla-maintainers
mailing list