weak ephemeral Diffle-Hellman key error when connecting to imap server TBird 38.1.0
Hi, this started happening around 36 hours ago. When checking mail occasionally see status line message "checking server capabilities",
error console reveals
Timestamp: 15/07/2015 6:54:43 AM Error: An error occurred during a connection to ju001lcs06.cbr.the-server.com.au:993. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)
Searching for this error points to a couple of workarounds in FFox, which I've done anyway, but not anything Thunderbird related that I could find.
No mail is being retrieved.
Any assistance appreciated.
All Replies (20)
Can you post your Troubleshooting Information? Help (Alt-H) - Troubleshooting Information
Other nstalls with v37.1.0 had no problem connecting to this particular server. Unfortunately I can't offer more information as I've uninstalled TB and moved to another product. Thanks for your assistance.
For anyone else coming across this thread, disabling the weak ciphers in the configuration editor may resolve this issue. The equivalent settings for Firefox are discussed here: https://support.mozilla.org/questions/1071500
(Unfortunately, I don't have TB on this computer to test.)
disabling the weak ciphers in the configuration editor may resolve this issue.
This doesn't address the underlying problem, which is a misconfigured server exposing it's users to the Logjam vulnerability. https://weakdh.org/
Thunderbird is not supposed to communicate with servers which haven't been patched and are still vulnerable.
Diubah
christ1 said
disabling the weak ciphers in the configuration editor may resolve this issue.This doesn't address the underlying problem, which is a misconfigured server exposing it's users to the Logjam vulnerability. https://weakdh.org/
Thunderbird is not supposed to communicate with servers which haven't been patched and are still vulnerable.
What I think this change does is cause Firefox (and possibly TB) to reject those ciphers if the server tries to use them for any purpose, including key exchange. Then if the server is capable of using stronger ciphers for key exchange, it should do so.
I guess that is a failure to stand on principle, but if you need your email...
christ1 said
Can you post your Troubleshooting Information? Help (Alt-H) - Troubleshooting Information
Thats a huge amount of stuff on that Troubleshooting Document. You want it all or is there some specific info you are looking for. Mine quit working and this is the same error I receive. Started saying that it "Can't Save to sent file" then I cant receive any emails. I can send one every now and then.
Sorry Double posted by accident
Diubah
There is an extension named "Disable DHE" that turns off four weak ciphers. If you want to try it, you can use Tools > Add-ons and search from there.
https://addons.mozilla.org/firefox/addon/disable-dhe/
(Developer reply to a recent review says it should work in Thunderbird.)
jscher2000 I am going to try to find what you are talking about. I will let you know if i can figure it out.
So I get 3 errors every time I try to get my mail in Thunderbird. The ones I got this morning. are pasted at the end here.
I still can not get mail but it appears that I can Send mail. One of the accounts continually says "There was an error Saving the message to Sent. Retry?"
I am running in safe mode ANY HELP WOULD BE WONDERFUL. I really Hate having to use the WEBMAIL that our mailserver provides.
Timestamp: 7/17/2015 8:17:27 AM Error: downloadable font: kern: Too large subtable., table discarded (font-family: "Open Sans Light" style:normal weight:normal stretch:normal src index:1) source: https://mozorg.cdn.mozilla.net/media/fonts/OpenSans-Light-webfont.1c8075cacedb.woff Source File: https://mozorg.cdn.mozilla.net/media/css/thunderbird-start-bundle.f3f2a61e7492.css Line: 1, Column: 36 Source Code: @font-face { font-family: "Open Sans Light"; font-style: normal; font-weight: normal; src: url("/media/fonts/OpenSans-Light-webfont.804037562eab.eot?#iefix") format("embedded-opentype"), url("/media/fonts/OpenSans-Light-webfont.1c8075cacedb.woff") format("woff"), url("/media/fonts/OpenSans-Light-webfont.ecb4572a5e47.ttf") format("truetype"); }
Timestamp: 7/17/2015 8:17:27 AM Error: downloadable font: kern: Too large subtable., table discarded (font-family: "Open Sans" style:normal weight:normal stretch:normal src index:1) source: https://mozorg.cdn.mozilla.net/media/fonts/OpenSans-Regular-webfont.2696e36f12c5.woff Source File: https://mozorg.cdn.mozilla.net/media/css/thunderbird-start-bundle.f3f2a61e7492.css Line: 1, Column: 1057 Source Code: @font-face { font-family: "Open Sans"; font-style: normal; font-weight: normal; src: url("/media/fonts/OpenSans-Regular-webfont.83efe33660ab.eot?#iefix") format("embedded-opentype"), url("/media/fonts/OpenSans-Regular-webfont.2696e36f12c5.woff") format("woff"), url("/media/fonts/OpenSans-Regular-webfont.3cbf4d3ed22e.ttf") format("truetype"); }
Timestamp: 7/17/2015 8:17:27 AM Error: An error occurred during a connection to host7.securenetweb.com:993.
SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.
(Error code: ssl_error_weak_server_ephemeral_dh_key)
Diubah
jscher2000 said
There is an extension named "Disable DHE" that turns off four weak ciphers. If you want to try it, you can use Tools > Add-ons and search from there. https://addons.mozilla.org/firefox/addon/disable-dhe/ (Developer reply to a recent review says it should work in Thunderbird.)
I was going to download that and it says "Get Firefox" or download anyway. If I download anyway, will it install itself on its own in TB? Yes I am BARELY computer literate. I use programs that I don't have to mess with and when one messes up I get a freeky.
Instead of trying to download the extension directly from the website, try using Tools > Add-ons from inside Thunderbird. If you don't see a Tools menu, try tapping the Alt key to activate the classic menu bar.
Ok stay with me here I went to the Tools/Addons and searched for Disable DHE I see 5 plugins that I could install
Disable Add on Compatibility Checks 1.3.1-signed Disable "You" 1.1 Plugin Disabler 0.2.1-signed New Plugin Disabler 0.3.1-signed Disable DragAndDrop (Thunderbird) 2.1.0
Im Lost
Well, it sounds as though there isn't an easy way to install it. My next suggestion would be to disable the old ciphers manually. To do that, you'll need to visit the Config Editor.
(1) Open the Config Editor using the steps in this article: Config Editor
(2) In the search box above the list, type or paste dhe and pause while the list is filtered
(3) Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (disable Thunderbird from using this cipher)
(4) Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (disable Thunderbird from using this cipher)
The extension disables two others, but I don't know how important they are. I can look them up if this doesn't help.
Then try to send/receive mail and see whether you still get the same error.
I will try this on Monday. I am off and it is my work computer that I am having this problem with. THANKS and will post my results Monday.
Thank you jscher2000
The Disable DHE add-on in FF did not work but your solution did.
Very much appreciated
jscher2000 said
There is an extension named "Disable DHE" that turns off four weak ciphers. If you want to try it, you can use Tools > Add-ons and search from there. https://addons.mozilla.org/firefox/addon/disable-dhe/ (Developer reply to a recent review says it should work in Thunderbird.)
This is brilliant, thank you so much! Normal service resumed pending reply from ISP.
jscher2000 Thanks going into the config editor worked.
THANK YOU
It's also worth asking your ISP to update their servers. I posted in my ISP's users' forum about this problem and quoted the explanations found here. I installed the DisableDHE add-on which gave me a temporary fix, but the ISP came back to me within an hour or so having updated the mailservers. I have now disabled the DisableDHE add-on and everything is working perfectly.
I do think it was was Exceptionally Mean of Mozilla to do this without warning. It took me most of the morning to work out what was going wrong (many thanks to this forum) and to get it fixed. Not the best way to begin the week.
Right, the addon DisableDHE and other workaround should NOT be your preferred permanent solution.
The mail provider should upgrade their keys.
my ISP Is Verizon. Try to get them to do ANYTHING is next to impossible. I am happy with the fact that I can now get my mail without having to continually log in to the mail server via webmail.
Now if someone knows why I get these ERRORS it would be extra Wonderful: The second one i get and the only difference that I SEE is that one says "open sans light" and the other just says "open sans"
Timestamp: 7/23/2015 8:17:13 AM Error: NS_ERROR_NOT_AVAILABLE: Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIXPCComponents_Utils.import] Source File: resource://gdata-provider/modules/shim/Loader.jsm Line: 5
Timestamp: 7/23/2015 8:17:16 AM Error: downloadable font: kern: Too large subtable., table discarded (font-family: "Open Sans Light" style:normal weight:normal stretch:normal src index:1) source: https://mozorg.cdn.mozilla.net/media/fonts/OpenSans-Light-webfont.1c8075cacedb.woff Source File: https://mozorg.cdn.mozilla.net/media/css/thunderbird-start-bundle.f3f2a61e7492.css Line: 1, Column: 36 Source Code: @font-face { font-family: "Open Sans Light"; font-style: normal; font-weight: normal; src: url("/media/fonts/OpenSans-Light-webfont.804037562eab.eot?#iefix") format("embedded-opentype"), url("/media/fonts/OpenSans-Light-webfont.1c8075cacedb.woff") format("woff"), url("/media/fonts/OpenSans-Light-webfont.ecb4572a5e47.ttf") format("truetype"); }