Default for DHE key length is 768. It needs to be changed to at least 1024. For more info see https://weakdh.org/ Regenerating the key is quite simple: DH_BITS=1024 mkdhparams Suggest running that at the end of installation. Otherwise some e-mail programs will refuse to connect. see also: https://forums.gentoo.org/viewtopic-p-7764834.html#7764834
*** Bug 554894 has been marked as a duplicate of this bug. ***
Created attachment 406792 [details, diff] Patch to change the default to 2048 Attaching patch that changes mkdhparams's default from 768 to 2048-bits.
Also of note: Mozilla Thunderbird will no longer connect to servers with DHE key's that are this weak (< 1024-bits). You'll get errors like this in your courier logs: ========================================================================= Jul 14 09:26:15 hostname imapd-ssl[14260]: couriertls: accept: error:14094417:SSL routines:SSL3_READ_BYTES:sslv3 alert illegal parameter Jul 14 09:26:15 hostname imapd-ssl[14260]: couriertls: accept: Connection reset by peer =========================================================================
Could the proxy maintainer acquire and runtest these patches?
(In reply to Ian Delaney from comment #4) > Could the proxy maintainer acquire and runtest these patches? Are you talking about yourself? Because in fact you are the proxy maintainer and not the maintainer that takes care of the package.
<herd>proxy-maintainers</herd> <maintainer> <email>david@ixit.cz</email> <name>David Heidelberg</name> This is the proxy maintainer. So no.
Note the longer DH size also needs to go into /usr/sbin/mkimapdcert (see the gendh line) for imaps service; mkdhparams appears to be for starttls service.
To begin with, courier-imap-4.16.0 failed with courier-unicode-1.3 which wrongly names a header file courier-unicode.h. It requires a border version of =net-libs/courier-unicode-1.1 The file courier-imap-4.16.0/mkdhparams does not exist on src_unpack. It is generated by the build. The patch, therefore, submitted in Comment 2 does not work since a patch is run in src_prepare. The files that builds mkdhparams needs instead to be patched. I suspect the pertient files are courier-imap-4.16.0/aclocal.m4 and or courier-imap-4.16.0/configure $ grep "768" /mnt/gen2/TmpDir/portage/net-mail/courier-imap-4.16.0/work/courier-imap-4.16.0/* /mnt/gen2/TmpDir/portage/net-mail/courier-imap-4.16.0/work/courier-imap-4.16.0/aclocal.m4: lt_cv_sys_max_cmd_len=32768 /mnt/gen2/TmpDir/portage/net-mail/courier-imap-4.16.0/work/courier-imap-4.16.0/configure: lt_cv_sys_max_cmd_len=32768 These 768 may be split off from the 32 in the build. There are other files in subfolders with similar or same. Either way, upstream should be notified with a bug to fix the build system and reset this to 2048 it this is the correct setting. Currently this package has neither a participating (user) maintainer or a usable patch to fix the build.
does 4.16.2-r1 still need this patch?
(In reply to Pacho Ramos from comment #9) > does 4.16.2-r1 still need this patch? It does not appear the patch is needed in 4.16.2-r1 as upstream has increased the default to 2048.
ok, we will stabilize a newer version in a different bug Thanks for feedback
