X
Thinta lapha ukuze uye kuveshini yamakhalekhukhwini kusayithi.

Isithangami Sabeseki

Lolu chungechunge lwabekwa kunqolobane. Uyacelwa ubuze umbuzo omusha uma udinga usizo.

weak ephemeral Diffle-Hellman key error when connecting to imap server TBird 38.1.0

Kuphostiwe

Hi, this started happening around 36 hours ago. When checking mail occasionally see status line message "checking server capabilities",

error console reveals

Timestamp: 15/07/2015 6:54:43 AM Error: An error occurred during a connection to ju001lcs06.cbr.the-server.com.au:993. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

Searching for this error points to a couple of workarounds in FFox, which I've done anyway, but not anything Thunderbird related that I could find.

No mail is being retrieved.

Any assistance appreciated.

Hi, this started happening around 36 hours ago. When checking mail occasionally see status line message "checking server capabilities", error console reveals Timestamp: 15/07/2015 6:54:43 AM Error: An error occurred during a connection to ju001lcs06.cbr.the-server.com.au:993. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key) Searching for this error points to a couple of workarounds in FFox, which I've done anyway, but not anything Thunderbird related that I could find. No mail is being retrieved. Any assistance appreciated.

Eminye Imininingwane Yohlelo

Isisebenziso

  • I-ejenti Engumsebenzisi: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36

Eminye Imininingwane

christ1
  • Top 25 Contributor
2171 izisombululo 15892 izimpendulo
Kuphostiwe

Can you post your Troubleshooting Information? Help (Alt-H) - Troubleshooting Information

Can you post your Troubleshooting Information? Help (Alt-H) - Troubleshooting Information

Umnikazi wombuzo

Other nstalls with v37.1.0 had no problem connecting to this particular server. Unfortunately I can't offer more information as I've uninstalled TB and moved to another product. Thanks for your assistance.

Other nstalls with v37.1.0 had no problem connecting to this particular server. Unfortunately I can't offer more information as I've uninstalled TB and moved to another product. Thanks for your assistance.
jscher2000
  • Top 10 Contributor
8770 izisombululo 71713 izimpendulo
Kuphostiwe

For anyone else coming across this thread, disabling the weak ciphers in the configuration editor may resolve this issue. The equivalent settings for Firefox are discussed here: https://support.mozilla.org/questions/1071500

(Unfortunately, I don't have TB on this computer to test.)

For anyone else coming across this thread, disabling the weak ciphers in the configuration editor may resolve this issue. The equivalent settings for Firefox are discussed here: https://support.mozilla.org/questions/1071500 (Unfortunately, I don't have TB on this computer to test.)
christ1
  • Top 25 Contributor
2171 izisombululo 15892 izimpendulo
Kuphostiwe
disabling the weak ciphers in the configuration editor may resolve this issue.

This doesn't address the underlying problem, which is a misconfigured server exposing it's users to the Logjam vulnerability. https://weakdh.org/

Thunderbird is not supposed to communicate with servers which haven't been patched and are still vulnerable.

<blockquote> disabling the weak ciphers in the configuration editor may resolve this issue. </blockquote> This doesn't address the underlying problem, which is a misconfigured server exposing it's users to the Logjam vulnerability. https://weakdh.org/ Thunderbird is not supposed to communicate with servers which haven't been patched and are still vulnerable.

Okulungisiwe ngu christ1

jscher2000
  • Top 10 Contributor
8770 izisombululo 71713 izimpendulo
Kuphostiwe

christ1 said

disabling the weak ciphers in the configuration editor may resolve this issue.

This doesn't address the underlying problem, which is a misconfigured server exposing it's users to the Logjam vulnerability. https://weakdh.org/

Thunderbird is not supposed to communicate with servers which haven't been patched and are still vulnerable.

What I think this change does is cause Firefox (and possibly TB) to reject those ciphers if the server tries to use them for any purpose, including key exchange. Then if the server is capable of using stronger ciphers for key exchange, it should do so.

I guess that is a failure to stand on principle, but if you need your email...

''christ1 [[#answer-754679|said]]'' <blockquote> <blockquote> disabling the weak ciphers in the configuration editor may resolve this issue. </blockquote> This doesn't address the underlying problem, which is a misconfigured server exposing it's users to the Logjam vulnerability. https://weakdh.org/ Thunderbird is not supposed to communicate with servers which haven't been patched and are still vulnerable. </blockquote> What I ''think'' this change does is cause Firefox (and possibly TB) to reject those ciphers if the server tries to use them for any purpose, including key exchange. Then if the server is capable of using stronger ciphers for key exchange, it should do so. I guess that is a failure to stand on principle, but if you need your email...
Obiwan 0 izisombululo 13 izimpendulo
Kuphostiwe

christ1 said

Can you post your Troubleshooting Information? Help (Alt-H) - Troubleshooting Information

Thats a huge amount of stuff on that Troubleshooting Document. You want it all or is there some specific info you are looking for. Mine quit working and this is the same error I receive. Started saying that it "Can't Save to sent file" then I cant receive any emails. I can send one every now and then.

''christ1 [[#answer-754171|said]]'' <blockquote> Can you post your Troubleshooting Information? Help (Alt-H) - Troubleshooting Information </blockquote> Thats a huge amount of stuff on that Troubleshooting Document. You want it all or is there some specific info you are looking for. Mine quit working and this is the same error I receive. Started saying that it "Can't Save to sent file" then I cant receive any emails. I can send one every now and then.
Obiwan 0 izisombululo 13 izimpendulo
Kuphostiwe

Sorry Double posted by accident

Sorry Double posted by accident

Okulungisiwe ngu Obiwan

jscher2000
  • Top 10 Contributor
8770 izisombululo 71713 izimpendulo
Kuphostiwe

Impendulo Ewusizo

There is an extension named "Disable DHE" that turns off four weak ciphers. If you want to try it, you can use Tools > Add-ons and search from there.

https://addons.mozilla.org/firefox/addon/disable-dhe/

(Developer reply to a recent review says it should work in Thunderbird.)

There is an extension named "Disable DHE" that turns off four weak ciphers. If you want to try it, you can use Tools > Add-ons and search from there. https://addons.mozilla.org/firefox/addon/disable-dhe/ (Developer reply to a recent review says it should work in Thunderbird.)
Obiwan 0 izisombululo 13 izimpendulo
Kuphostiwe

jscher2000 I am going to try to find what you are talking about. I will let you know if i can figure it out.

So I get 3 errors every time I try to get my mail in Thunderbird. The ones I got this morning. are pasted at the end here.

I still can not get mail but it appears that I can Send mail. One of the accounts continually says "There was an error Saving the message to Sent. Retry?"

I am running in safe mode ANY HELP WOULD BE WONDERFUL. I really Hate having to use the WEBMAIL that our mailserver provides.

Timestamp: 7/17/2015 8:17:27 AM Error: downloadable font: kern: Too large subtable., table discarded (font-family: "Open Sans Light" style:normal weight:normal stretch:normal src index:1) source: https://mozorg.cdn.mozilla.net/media/fonts/OpenSans-Light-webfont.1c8075cacedb.woff Source File: https://mozorg.cdn.mozilla.net/media/css/thunderbird-start-bundle.f3f2a61e7492.css Line: 1, Column: 36 Source Code: @font-face { font-family: "Open Sans Light"; font-style: normal; font-weight: normal; src: url("/media/fonts/OpenSans-Light-webfont.804037562eab.eot?#iefix") format("embedded-opentype"), url("/media/fonts/OpenSans-Light-webfont.1c8075cacedb.woff") format("woff"), url("/media/fonts/OpenSans-Light-webfont.ecb4572a5e47.ttf") format("truetype"); }

Timestamp: 7/17/2015 8:17:27 AM Error: downloadable font: kern: Too large subtable., table discarded (font-family: "Open Sans" style:normal weight:normal stretch:normal src index:1) source: https://mozorg.cdn.mozilla.net/media/fonts/OpenSans-Regular-webfont.2696e36f12c5.woff Source File: https://mozorg.cdn.mozilla.net/media/css/thunderbird-start-bundle.f3f2a61e7492.css Line: 1, Column: 1057 Source Code: @font-face { font-family: "Open Sans"; font-style: normal; font-weight: normal; src: url("/media/fonts/OpenSans-Regular-webfont.83efe33660ab.eot?#iefix") format("embedded-opentype"), url("/media/fonts/OpenSans-Regular-webfont.2696e36f12c5.woff") format("woff"), url("/media/fonts/OpenSans-Regular-webfont.3cbf4d3ed22e.ttf") format("truetype"); }

Timestamp: 7/17/2015 8:17:27 AM Error: An error occurred during a connection to host7.securenetweb.com:993.

SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message.

(Error code: ssl_error_weak_server_ephemeral_dh_key)

jscher2000 I am going to try to find what you are talking about. I will let you know if i can figure it out. So I get 3 errors every time I try to get my mail in Thunderbird. The ones I got this morning. are pasted at the end here. I still can not get mail but it appears that I can Send mail. One of the accounts continually says "There was an error Saving the message to Sent. Retry?" I am running in safe mode ANY HELP WOULD BE WONDERFUL. I really Hate having to use the WEBMAIL that our mailserver provides. Timestamp: 7/17/2015 8:17:27 AM Error: downloadable font: kern: Too large subtable., table discarded (font-family: "Open Sans Light" style:normal weight:normal stretch:normal src index:1) source: https://mozorg.cdn.mozilla.net/media/fonts/OpenSans-Light-webfont.1c8075cacedb.woff Source File: https://mozorg.cdn.mozilla.net/media/css/thunderbird-start-bundle.f3f2a61e7492.css Line: 1, Column: 36 Source Code: @font-face { font-family: "Open Sans Light"; font-style: normal; font-weight: normal; src: url("/media/fonts/OpenSans-Light-webfont.804037562eab.eot?#iefix") format("embedded-opentype"), url("/media/fonts/OpenSans-Light-webfont.1c8075cacedb.woff") format("woff"), url("/media/fonts/OpenSans-Light-webfont.ecb4572a5e47.ttf") format("truetype"); } Timestamp: 7/17/2015 8:17:27 AM Error: downloadable font: kern: Too large subtable., table discarded (font-family: "Open Sans" style:normal weight:normal stretch:normal src index:1) source: https://mozorg.cdn.mozilla.net/media/fonts/OpenSans-Regular-webfont.2696e36f12c5.woff Source File: https://mozorg.cdn.mozilla.net/media/css/thunderbird-start-bundle.f3f2a61e7492.css Line: 1, Column: 1057 Source Code: @font-face { font-family: "Open Sans"; font-style: normal; font-weight: normal; src: url("/media/fonts/OpenSans-Regular-webfont.83efe33660ab.eot?#iefix") format("embedded-opentype"), url("/media/fonts/OpenSans-Regular-webfont.2696e36f12c5.woff") format("woff"), url("/media/fonts/OpenSans-Regular-webfont.3cbf4d3ed22e.ttf") format("truetype"); } Timestamp: 7/17/2015 8:17:27 AM Error: An error occurred during a connection to host7.securenetweb.com:993. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

Okulungisiwe ngu Obiwan

Obiwan 0 izisombululo 13 izimpendulo
Kuphostiwe

jscher2000 said

There is an extension named "Disable DHE" that turns off four weak ciphers. If you want to try it, you can use Tools > Add-ons and search from there. https://addons.mozilla.org/firefox/addon/disable-dhe/ (Developer reply to a recent review says it should work in Thunderbird.)

I was going to download that and it says "Get Firefox" or download anyway. If I download anyway, will it install itself on its own in TB? Yes I am BARELY computer literate. I use programs that I don't have to mess with and when one messes up I get a freeky.

''jscher2000 [[#answer-754929|said]]'' <blockquote> There is an extension named "Disable DHE" that turns off four weak ciphers. If you want to try it, you can use Tools > Add-ons and search from there. https://addons.mozilla.org/firefox/addon/disable-dhe/ (Developer reply to a recent review says it should work in Thunderbird.) </blockquote> I was going to download that and it says "Get Firefox" or download anyway. If I download anyway, will it install itself on its own in TB? Yes I am BARELY computer literate. I use programs that I don't have to mess with and when one messes up I get a freeky.
jscher2000
  • Top 10 Contributor
8770 izisombululo 71713 izimpendulo
Kuphostiwe

Instead of trying to download the extension directly from the website, try using Tools > Add-ons from inside Thunderbird. If you don't see a Tools menu, try tapping the Alt key to activate the classic menu bar.

Instead of trying to download the extension directly from the website, try using Tools > Add-ons from inside Thunderbird. If you don't see a Tools menu, try tapping the Alt key to activate the classic menu bar.
Obiwan 0 izisombululo 13 izimpendulo
Kuphostiwe

Ok stay with me here I went to the Tools/Addons and searched for Disable DHE I see 5 plugins that I could install

Disable Add on Compatibility Checks 1.3.1-signed Disable "You" 1.1 Plugin Disabler 0.2.1-signed New Plugin Disabler 0.3.1-signed Disable DragAndDrop (Thunderbird) 2.1.0

Im Lost

Ok stay with me here I went to the Tools/Addons and searched for Disable DHE I see 5 plugins that I could install Disable Add on Compatibility Checks 1.3.1-signed Disable "You" 1.1 Plugin Disabler 0.2.1-signed New Plugin Disabler 0.3.1-signed Disable DragAndDrop (Thunderbird) 2.1.0 Im Lost
jscher2000
  • Top 10 Contributor
8770 izisombululo 71713 izimpendulo
Kuphostiwe

Impendulo Ewusizo

Well, it sounds as though there isn't an easy way to install it. My next suggestion would be to disable the old ciphers manually. To do that, you'll need to visit the Config Editor.

(1) Open the Config Editor using the steps in this article: Config Editor

(2) In the search box above the list, type or paste dhe and pause while the list is filtered

(3) Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (disable Thunderbird from using this cipher)

(4) Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (disable Thunderbird from using this cipher)

The extension disables two others, but I don't know how important they are. I can look them up if this doesn't help.

Then try to send/receive mail and see whether you still get the same error.

Well, it sounds as though there isn't an easy way to install it. My next suggestion would be to disable the old ciphers manually. To do that, you'll need to visit the Config Editor. (1) Open the Config Editor using the steps in this article: [[Config Editor]] (2) In the search box above the list, type or paste '''dhe''' and pause while the list is filtered (3) Double-click the '''security.ssl3.dhe_rsa_aes_128_sha''' preference to switch it from true to false (disable Thunderbird from using this cipher) (4) Double-click the '''security.ssl3.dhe_rsa_aes_256_sha''' preference to switch it from true to false (disable Thunderbird from using this cipher) ''The extension disables two others, but I don't know how important they are. I can look them up if this doesn't help.'' Then try to send/receive mail and see whether you still get the same error.
Obiwan 0 izisombululo 13 izimpendulo
Kuphostiwe

I will try this on Monday. I am off and it is my work computer that I am having this problem with. THANKS and will post my results Monday.

I will try this on Monday. I am off and it is my work computer that I am having this problem with. THANKS and will post my results Monday.
kwarr 0 izisombululo 5 izimpendulo
Kuphostiwe

Thank you jscher2000

The Disable DHE add-on in FF did not work but your solution did.

Very much appreciated

Thank you jscher2000 The Disable DHE add-on in FF did not work but your solution did. Very much appreciated
ElviraKate 0 izisombululo 3 izimpendulo
Kuphostiwe

jscher2000 said

There is an extension named "Disable DHE" that turns off four weak ciphers. If you want to try it, you can use Tools > Add-ons and search from there. https://addons.mozilla.org/firefox/addon/disable-dhe/ (Developer reply to a recent review says it should work in Thunderbird.)

This is brilliant, thank you so much! Normal service resumed pending reply from ISP.

''jscher2000 [[#answer-754929|said]]'' <blockquote> There is an extension named "Disable DHE" that turns off four weak ciphers. If you want to try it, you can use Tools > Add-ons and search from there. https://addons.mozilla.org/firefox/addon/disable-dhe/ (Developer reply to a recent review says it should work in Thunderbird.) </blockquote> This is brilliant, thank you so much! Normal service resumed pending reply from ISP.
Obiwan 0 izisombululo 13 izimpendulo
Kuphostiwe

jscher2000 Thanks going into the config editor worked.

THANK YOU

jscher2000 Thanks going into the config editor worked. THANK YOU
ElviraKate 0 izisombululo 3 izimpendulo
Kuphostiwe

It's also worth asking your ISP to update their servers. I posted in my ISP's users' forum about this problem and quoted the explanations found here. I installed the DisableDHE add-on which gave me a temporary fix, but the ISP came back to me within an hour or so having updated the mailservers. I have now disabled the DisableDHE add-on and everything is working perfectly.

I do think it was was Exceptionally Mean of Mozilla to do this without warning. It took me most of the morning to work out what was going wrong (many thanks to this forum) and to get it fixed. Not the best way to begin the week.

It's also worth asking your ISP to update their servers. I posted in my ISP's users' forum about this problem and quoted the explanations found here. I installed the DisableDHE add-on which gave me a temporary fix, but the ISP came back to me within an hour or so having updated the mailservers. I have now disabled the DisableDHE add-on and everything is working perfectly. I do think it was was Exceptionally Mean of Mozilla to do this without warning. It took me most of the morning to work out what was going wrong (many thanks to this forum) and to get it fixed. Not the best way to begin the week.
Wayne Mery
  • Top 25 Contributor
  • Moderator
592 izisombululo 5580 izimpendulo
Kuphostiwe

Right, the addon DisableDHE and other workaround should NOT be your preferred permanent solution.

The mail provider should upgrade their keys.

Right, the addon DisableDHE and other workaround should NOT be your preferred permanent solution. The mail provider should upgrade their keys.
Obiwan 0 izisombululo 13 izimpendulo
Kuphostiwe

my ISP Is Verizon. Try to get them to do ANYTHING is next to impossible. I am happy with the fact that I can now get my mail without having to continually log in to the mail server via webmail.

Now if someone knows why I get these ERRORS it would be extra Wonderful: The second one i get and the only difference that I SEE is that one says "open sans light" and the other just says "open sans"

Timestamp: 7/23/2015 8:17:13 AM Error: NS_ERROR_NOT_AVAILABLE: Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIXPCComponents_Utils.import] Source File: resource://gdata-provider/modules/shim/Loader.jsm Line: 5

Timestamp: 7/23/2015 8:17:16 AM Error: downloadable font: kern: Too large subtable., table discarded (font-family: "Open Sans Light" style:normal weight:normal stretch:normal src index:1) source: https://mozorg.cdn.mozilla.net/media/fonts/OpenSans-Light-webfont.1c8075cacedb.woff Source File: https://mozorg.cdn.mozilla.net/media/css/thunderbird-start-bundle.f3f2a61e7492.css Line: 1, Column: 36 Source Code: @font-face { font-family: "Open Sans Light"; font-style: normal; font-weight: normal; src: url("/media/fonts/OpenSans-Light-webfont.804037562eab.eot?#iefix") format("embedded-opentype"), url("/media/fonts/OpenSans-Light-webfont.1c8075cacedb.woff") format("woff"), url("/media/fonts/OpenSans-Light-webfont.ecb4572a5e47.ttf") format("truetype"); }

my ISP Is Verizon. Try to get them to do ANYTHING is next to impossible. I am happy with the fact that I can now get my mail without having to continually log in to the mail server via webmail. Now if someone knows why I get these ERRORS it would be extra Wonderful: The second one i get and the only difference that I SEE is that one says "open sans light" and the other just says "open sans" Timestamp: 7/23/2015 8:17:13 AM Error: NS_ERROR_NOT_AVAILABLE: Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIXPCComponents_Utils.import] Source File: resource://gdata-provider/modules/shim/Loader.jsm Line: 5 Timestamp: 7/23/2015 8:17:16 AM Error: downloadable font: kern: Too large subtable., table discarded (font-family: "Open Sans Light" style:normal weight:normal stretch:normal src index:1) source: https://mozorg.cdn.mozilla.net/media/fonts/OpenSans-Light-webfont.1c8075cacedb.woff Source File: https://mozorg.cdn.mozilla.net/media/css/thunderbird-start-bundle.f3f2a61e7492.css Line: 1, Column: 36 Source Code: @font-face { font-family: "Open Sans Light"; font-style: normal; font-weight: normal; src: url("/media/fonts/OpenSans-Light-webfont.804037562eab.eot?#iefix") format("embedded-opentype"), url("/media/fonts/OpenSans-Light-webfont.1c8075cacedb.woff") format("woff"), url("/media/fonts/OpenSans-Light-webfont.ecb4572a5e47.ttf") format("truetype"); }