38.1.0, getting new mail no longer works. CAUSE Logjam/weak Diffie-Hellman key mitigation bug 1185060 SOLUTION requires TLS/SSL security key length >=1024
That's pretty much it. After upgrading, I can no longer receive mail. I can send out but it does not put a copy in the Sent folder and I get an error.
"There was an error saving the message to Sent. Retry?"
But the message shows up on the other end.
I checked the same mail accounts on Webmail and on my phone. No problems there.
I have removed the account and tried adding it back, but get an error:
"Username or password invalid" "Configuration could not be verified - is the username or password wrong?"
The username and password are correct. Again, nothing has changed with the mail account and it works in Webmail and on my iPhone.
Any help would be greatly appreciated!
Изменено Wayne Mery
Выбранное решение
Same problem here. In my case, I control the server. So I had my server admins update the software and install a 2048-bit key in place of the old 768-bit key. (By the way, for those with their own server wrestling with this problem, you have to upgrade to cPanel/WHM 11.5 in order to upgrade the key. Older versions can't store keys larger than 768-bits for SSH.)
Now, most of my accounts are working. However, one account still gets the error.
When I check the error console, I find the following:
Timestamp: 7/22/2015 8:44:35 AM Error: An error occurred during a connection to [domain]:143.
Cannot communicate securely with peer: no common encryption algorithm(s).
(Error code: ssl_error_no_cypher_overlap)
Прочитайте этот ответ в контексте 👍 1Все ответы (20)
Please post your Troubleshooting Information. Help (Alt-H) - Troubleshooting Information
Application Basics
Name: Thunderbird Version: 38.1.0 User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.1.0 Profile Folder: Show Folder
(Local drive) Application Build ID: 20150707103124 Enabled Plugins: about:plugins Build Configuration: about:buildconfig Memory Use: about:memory
Mail and News Accounts
account1:
INCOMING: account1, , (imap) imap.cox.net:993, SSL, passwordCleartext
OUTGOING: smtp.cox.net:465, SSL, passwordCleartext, true
account2:
INCOMING: account2, , (none) Local Folders, plain, passwordCleartext
account3:
INCOMING: account3, , (imap) provisionists.com:993, SSL, passwordCleartext
OUTGOING: smtp.cox.net:465, SSL, passwordCleartext, true
Crash Reports
Extensions
Google Calendar Tab, 3.9, true, googlecalendartab@momo
Lightning, 4.0.1, true, {e2fda1a4-762b-4020-b5ad-a41df1933103}
Provider for Google Calendar, 1.0.4, true, {a62ef8ec-5fdc-40c2-873c-223b8a6925cc}
Important Modified Preferences
Name: Value
accessibility.typeaheadfind.flashBar: 0
browser.cache.disk.capacity: 358400
browser.cache.disk.smart_size_cached_value: 358400
browser.cache.disk.smart_size.first_run: false
browser.cache.disk.smart_size.use_old_max: false
extensions.lastAppVersion: 38.1.0
font.internaluseonly.changed: false
font.name.monospace.el: Consolas
font.name.monospace.tr: Consolas
font.name.monospace.x-baltic: Consolas
font.name.monospace.x-central-euro: Consolas
font.name.monospace.x-cyrillic: Consolas
font.name.monospace.x-unicode: Consolas
font.name.monospace.x-western: Consolas
font.name.sans-serif.el: Calibri
font.name.sans-serif.tr: Calibri
font.name.sans-serif.x-baltic: Calibri
font.name.sans-serif.x-central-euro: Calibri
font.name.sans-serif.x-cyrillic: Calibri
font.name.sans-serif.x-unicode: Calibri
font.name.sans-serif.x-western: Calibri
font.name.serif.el: Cambria
font.name.serif.tr: Cambria
font.name.serif.x-baltic: Cambria
font.name.serif.x-central-euro: Cambria
font.name.serif.x-cyrillic: Cambria
font.name.serif.x-unicode: Cambria
font.name.serif.x-western: Cambria
font.size.fixed.el: 14
font.size.fixed.tr: 14
font.size.fixed.x-baltic: 14
font.size.fixed.x-central-euro: 14
font.size.fixed.x-cyrillic: 14
font.size.fixed.x-unicode: 14
font.size.fixed.x-western: 14
font.size.variable.el: 17
font.size.variable.tr: 17
font.size.variable.x-baltic: 17
font.size.variable.x-central-euro: 17
font.size.variable.x-cyrillic: 17
font.size.variable.x-unicode: 17
font.size.variable.x-western: 17
gfx.direct3d.last_used_feature_level_idx: 0
mail.openMessageBehavior.version: 1
mail.winsearch.firstRunDone: true
mailnews.database.global.datastore.id: 5309e8ba-b77c-4529-8a88-506699b5527
mailnews.database.global.views.conversation.columns: {"threadCol":{"visible":true,"ordinal":"1"},"flaggedCol":{"visible":true,"ordinal":"3"},"attachmentCol":{"visible":false…
network.cookie.prefsMigrated: true
network.predictor.cleaned-up: true
places.database.lastMaintenance: 1436487191
places.history.expiration.transient_current_max_pages: 104858
plugin.importedState: true
print.printer_KodakESP7200+0052.print_bgcolor: false
print.printer_KodakESP7200+0052.print_bgimages: false
print.printer_KodakESP7200+0052.print_colorspace:
print.printer_KodakESP7200+0052.print_command:
print.printer_KodakESP7200+0052.print_downloadfonts: false
print.printer_KodakESP7200+0052.print_duplex: 1515870810
print.printer_KodakESP7200+0052.print_edge_bottom: 0
print.printer_KodakESP7200+0052.print_edge_left: 0
print.printer_KodakESP7200+0052.print_edge_right: 0
print.printer_KodakESP7200+0052.print_edge_top: 0
print.printer_KodakESP7200+0052.print_evenpages: true
print.printer_KodakESP7200+0052.print_footercenter:
print.printer_KodakESP7200+0052.print_footerleft: &PT
print.printer_KodakESP7200+0052.print_footerright: &D
print.printer_KodakESP7200+0052.print_headercenter:
print.printer_KodakESP7200+0052.print_headerleft: &T
print.printer_KodakESP7200+0052.print_headerright: &U
print.printer_KodakESP7200+0052.print_in_color: true
print.printer_KodakESP7200+0052.print_margin_bottom: 0.5
print.printer_KodakESP7200+0052.print_margin_left: 0.5
print.printer_KodakESP7200+0052.print_margin_right: 0.5
print.printer_KodakESP7200+0052.print_margin_top: 0.5
print.printer_KodakESP7200+0052.print_oddpages: true
print.printer_KodakESP7200+0052.print_orientation: 0
print.printer_KodakESP7200+0052.print_page_delay: 50
print.printer_KodakESP7200+0052.print_paper_data: 1
print.printer_KodakESP7200+0052.print_paper_height: 11.00
print.printer_KodakESP7200+0052.print_paper_name:
print.printer_KodakESP7200+0052.print_paper_size_type: 0
print.printer_KodakESP7200+0052.print_paper_size_unit: 0
print.printer_KodakESP7200+0052.print_paper_width: 8.50
print.printer_KodakESP7200+0052.print_plex_name:
print.printer_KodakESP7200+0052.print_resolution: 1515870810
print.printer_KodakESP7200+0052.print_resolution_name:
print.printer_KodakESP7200+0052.print_reversed: false
print.printer_KodakESP7200+0052.print_scaling: 1.00
print.printer_KodakESP7200+0052.print_shrink_to_fit: true
print.printer_KodakESP7200+0052.print_to_file: false
print.printer_KodakESP7200+0052.print_unwriteable_margin_bottom: 0
print.printer_KodakESP7200+0052.print_unwriteable_margin_left: 0
print.printer_KodakESP7200+0052.print_unwriteable_margin_right: 0
print.printer_KodakESP7200+0052.print_unwriteable_margin_top: 0
Graphics
Adapter Description: Intel(R) HD Graphics 4000
Vendor ID: 0x8086
Device ID: 0x0166
Adapter RAM: Unknown
Adapter Drivers: igdumdim64 igd10iumd64 igd10iumd64 igdumdim32 igd10iumd32 igd10iumd32
Driver Version: 10.18.10.3345
Driver Date: 10-28-2013
Direct2D Enabled: true
DirectWrite Enabled: true (6.3.9600.17795)
ClearType Parameters: ClearType parameters not found
WebGL Renderer: false
GPU Accelerated Windows: 1/1 Direct3D 11
AzureCanvasBackend: direct2d 1.1
AzureSkiaAccelerated: 0
AzureFallbackCanvasBackend: cairo
AzureContentBackend: direct2d 1.1
JavaScript
Incremental GC: 1
Accessibility
Activated: 1 Prevent Accessibility: 0
Library Versions
Expected minimum version
Version in use
NSPR
4.10.8
4.10.8
NSS
3.19.2 Basic ECC
3.19.2 Basic ECC
NSS Util
3.19.2
3.19.2
NSS SSL
3.19.2 Basic ECC
3.19.2 Basic ECC
NSS S/MIME
3.19.2 Basic ECC
3.19.2 Basic ECC
EVERYONE!
The "Powers that be" at Mozilla decided to limit TLS/SSL security to no less than 1024 DH keys with TB v38.1 that get s automatically installed on pretty much everyone's computer. This installation breaks god knows how many people's email be it with the SMTP, POP or IMAP services and with Firefox, web services.
There seems to be no way to force TB to go back to allow the so called 'weaker' 512 DH keys.
I AM SO PISSED OFF RIGHT NOW!
Your only option appears to be to downgrade back to TB 31.7.0 and whatever the last version of Firefox was.
Link to last working version of TB is https://ftp.mozilla.org/pub/mozilla.org/thunderbird/releases/31.7.0/win32/en-US/Thunderbird%20Setup%2031.7.0.exe
Good luck!
I will NEVER UPGRADE ANYTHING FROM MOZILLA AGAIN!
Изменено Bob Atkins
Well, if I cannot access mail from these accounts using Thunderbird anymore, I guess it's time to move on. I am very disappointed. I really like TB, but I really need access to these accounts and logging into 3 different webmail accounts is unacceptable. I guess they are forcing me to move to Outlook.
Bobatkins,
I'm not doubting you, but can you tell us how you learnt this?
Why isn't it killing my email on any of my three computers, all running TB38.1.0 on a mix of windows and linux?
To the original poster. Please check the error console on the tools menu (alt+T) to see if there are errors there about weak Diffie-Hellman. If they are there, please read the information here Particularly the information on what the consumer needs to do. You will note from the text that Apple, Microsoft, Google and Mozilla are all acting on this threat.so outlook will probably soon or not already have the same result on the same servers. This is basically an internet change. Not some storm Mozilla dreamed up and it involves web browsers and email client alike. Anything that uses TLS security really.
If Diffie-Hellman is not showing, Please post back so someone can continue working with you in a genuine attempt to assist you. I ask you excuse bobatkins. I addressed an almost identical complaint from him earlier today. Apparently he thinks a head in the sand approach to security is the appropriate way to go. Me I think we need to get the system administrators for the 10-15% of servers that have not been fixed to get off their collective and fix it.
Zenos said
Bobatkins, I'm not doubting you, but can you tell us how you learnt this?
https://bugzilla.mozilla.org/show_bug.cgi?id=1138554 refers. I was not aware of it other than to know changes to TLS were coming from logjam which I read about on cnet. The changes appear from the bug to have dropped into Geko basically unnoticed by Thunderbird folk and so bubbled up. I think into 38.1
Why isn't it killing my email on any of my three computers, all running TB38.1.0 on a mix of windows and linux?
it only applies to servers still using 512 bit TLS encryption. This is about 14% of SMTP mail servers using TLS. Less for IMAP ans POP per https://weakdh.org/
Note the site appears to be written by the team that discovered the vulnerability and is the clearest, least alarmist and sensible thing I have read on the subject.
Matt said
To the original poster. Please check the error console on the tools menu (alt+T) to see if there are errors there about weak Diffie-Hellman. If they are there, please read the information here Particularly the information on what the consumer needs to do. You will note from the text that Apple, Microsoft, Google and Mozilla are all acting on this threat.so outlook will probably soon or not already have the same result on the same servers. This is basically an internet change. Not some storm Mozilla dreamed up and it involves web browsers and email client alike. Anything that uses TLS security really. If Diffie-Hellman is not showing, Please post back so someone can continue working with you in a genuine attempt to assist you. I ask you excuse bobatkins. I addressed an almost identical complaint from him earlier today. Apparently he thinks a head in the sand approach to security is the appropriate way to go. Me I think we need to get the system administrators for the 10-15% of servers that have not been fixed to get off their collective and fix it.
Timestamp: 7/16/2015 2:53:18 PM Error: An error occurred during a connection to provisionists.com:993.
SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.
(Error code: ssl_error_weak_server_ephemeral_dh_key)
Ok so the server needs an update. I just looked at sendmail for someone and they released their update on the 3rd July. Most other mail products affected will also have released an update.
!**UPDATE** Following discussion here. it Looks like there is a workaround available.through installing an add-on.
Still no.
Server is upgraded. Still no go.
Also, that add-on does not appear int he list when you search on it. When I click on the link it does not install.
When I click on the link it does not install.
http://chrisramsden.vfast.co.uk/3_How_to_install_Add-ons_in_Thunderbird.html
I had to relocate my site and all the old links are broken. :-(
Okay, I manually installed the add-on and it fixed the problem.
When your problem has been fixed can you mark the thread as 'Solved' please? Thank you.
Temporal Solution:
Preferences -> Advanced -> General -> Configuration Editor ...
Promise you will be careful! ...
Look for ssl3 at the search bar....
security.ssl3.dhe_rsa_aes_128_sha must be switched from true to false security.ssl3.dhe_rsa_aes_256_sha must be switched from true to false
Restart the application and IT WORKS!!!
Выбранное решение
Same problem here. In my case, I control the server. So I had my server admins update the software and install a 2048-bit key in place of the old 768-bit key. (By the way, for those with their own server wrestling with this problem, you have to upgrade to cPanel/WHM 11.5 in order to upgrade the key. Older versions can't store keys larger than 768-bits for SSH.)
Now, most of my accounts are working. However, one account still gets the error.
When I check the error console, I find the following:
Timestamp: 7/22/2015 8:44:35 AM Error: An error occurred during a connection to [domain]:143.
Cannot communicate securely with peer: no common encryption algorithm(s).
(Error code: ssl_error_no_cypher_overlap)
Изменено vahost
I had the same issue. I contacted the web hosting company and they confirmed our server needed a patch installed that would make it so that the 'key size' was updated as the previously acceptable 'key size' was not longer acceptable.
Issue immediately solved
vahost,
please start a new thread for your problem.