Menu
▾
▴
Re: [Fetchmail-users] EE certificate key too weak error from fetchmail
|
From: Matthias A. <mat...@gm...> - 2020-12-15 20:54:52
|
Am 15.12.20 um 17:32 schrieb David McKelvie: > I have a Ubuntu computer at home. My email gets delivered to a Centos 7 server. > > To get my email, I open an ssh tunnel from my home computer to the server > connecting my port 7110 to the server port 110. Then I point fetchmail at local > port 7110 to fetch my email. > > This worked just fine on Ubuntu 18.04 LTS (and previous versions). However, I > recently updated to Ubuntu 20.04, and the fetchmail stopped working. The Centos > server has'nt been updated, so it must be due to the change from Ubuntu 18.04 to > 20.04. Some change to fetchmail and/or openssl? David, I haven't checked Ubuntu 20.04 beyond "compiles and passes smoke test". Looking at your description, chances are Ubuntu 20.04 (relative to 18.04) inherited OpenSSL configuration from Debian, a higher default SECLEVEL in particular. Please see https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1 and also comment #5 of https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1864689 appears to be relevant. This might cause similar errors as you are seeing, and would hint that checking the server-side certificate for bit lengths and algorithms could be a good next step. > Fetchmail version is release 6.4.2+GSS+NTLM+SDPS+SSL-SSLv2-SSLv3+NLS+KRB5. > > The error from fetchmail is: > > fetchmail: Server certificate verification error: EE certificate key too weak > fetchmail: OpenSSL reported: error:1416F086: > SSL routines:tls_process_server_certificate:certificate verify failed > fetchmail: localhost: upgrade to TLS failed. > > I can still ssh to the server and open the ssh tunnel. The SSH keys and certificates will usually not be the same as the ones that the mail server uses, so that doesn't bear relevance here. > Can anyone inform me what the right thing to do is, Do I need extra options on > fetchmail, do I need to update a certificate, or modify my ssh config, or > something else? fetchmail in your configuration pulls up its own TLS layer (the server offers STARTTLS and fetchmail uses it, possibly opportunistically) underneath SSH, so you have SSH as the outer and then TLS on the inner layer. I think longer keys and corresponding mail-server-side certificates might help. -- Matthias Andree |
