...
 
Commits (2)
---
title: "OpenSSL responded: [SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:727)"
authors: Alain M. Lafon
category: linux
date-published: 2019-07-02
tags:
- linux
- debian
- outlook
uuid: a27d021d-a4f9-4078-b21d-5ae5c71754cb
description: >-
For when your mail provider uses insecure encryption settings, but
you still want to read your emails.
---
I use [[https://github.com/OfflineIMAP/offlineimap/][Offlineimap]] to download mails from various accounts
to my machine where. After my last Debian upgrade, when running
=offlineimap=, I got the following error for one of my accounts:
#+BEGIN_EXAMPLE
Establishing connection to imap.redacted.ch:993 (redacted-Remote)
ERROR: Unknown SSL protocol connecting to host 'imap.redacted.ch' for repository 'redacted-Remote'. OpenSSL responded:
[SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:727)
*** Finished account 'redacted' in 0:00
ERROR: Exceptions occurred during the run!
#+END_EXAMPLE
If you have the following error, let me save you some time with your
favorite search engine: The reason is that "newer" versions of OpenSSL
fend of a TLS attack called [[https://mitls.org/pages/attacks/SMACK#freak][FREAK]] (Factoring RSA Export Keys). When
you get this =openimap= error, it means that you're encrypting the
connection to your mail server with TLS whilst using a key smaller
than 768 bytes. This connection can be attacked and is therefore
considered unsafe. That's why OpenSSL will terminate this connection
by default instead of trusting it. Read more about this attack on a
blog post on [[https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/][openssl.org]] from 2015.
If you own the mail server yourself or have some kind of authority
over it, please don't use the workaround I'm proposing here, but
upgrade your mail servers security. As mentioned above, OpenSSL wrote
about and fixed this issue in 2015 - so it's about time for sysadmins
to follow up on this.
In my case, I
don't have authority over the mail server in question (it is an
Outlook server of a big corporation). If you're in the same boat, the
'fix' is simple: Ignore the error by falling back to an old
authentication scheme =tls1_2=. For that, open your =.offlineimaprc=
configuration file, go to the section =[Repository yourServer-Remote]=
and add a line =ssl_version=tls1_2=. The full entry will look like this:
#+BEGIN_EXAMPLE
[Repository redacted-Remote]
type = IMAP
remotehost = imap.redacted.ch
remoteuser = me@redacted.ch
remotepass = ...
ssl_version=tls1_2
[more customizations]
#+END_EXAMPLE
Good luck and enjoy reading mails from insecure servers^^
If you're curious about my mail setup, let me elaborate a little on
that: After downloading emails with Offlineimap, I read and answer
them using [[https://github.com/djcb/mu][Mu4e]] and [[https://emacs.org/][Emacs]]. This is by far the best email setup that I
have worked with in 20 years of using email on a daily basis. You can
find my Mu4e Emacs configuration here:
https://github.com/munen/emacs.d/#mail