couriertls: accept: error:14094417:SSL routines:SSL3_READ_BYTES:sslv3 alert illegal parameter

By , last updated August 24, 2015

Just found this error in my system log on my Gentoo system.

I’m running Courier-IMAP with self signed SSL certificates, and I’m using Thunderbird 38.1.0 as my mail client.

And after I upgrade to Thunderbird 38.1.0 I couldn’t get my mail anymore, and the system log said this couriertls: accept: error:14094417:SSL routines:SSL3_READ_BYTES:sslv3 alert illegal parameter every time I tried to connect with Thunderbird.

In Thunderbird, pressing Ctrl+Shift+J reveals the Thunderbird Error Console. It gives out much more detailed information than those error boxes with Something went wrong messages.

Thunderbird is not happy with number of bits in the DH-parameters. Recently they bumped the limit from 768-bits to at least 1024-bits.

The error turns out to be in a file called /usr/shared/dhparams.pem. This file contains DH-parameters for Courer IMAP and it’s regenerated regularly, with a minimum age of 25 days. That file is supposed to be regenerated automatically on either reboot or once per month, but I haven’t put effort into finding out who or what does it. A search for mkdhparams in /etc/ yielded no results.

To solve our problem here and now, do this in a root terminal:

export DH_BITS=2048
rm /usr/share/dhparams.pem; mkdhparams

To permanently store the number of the bits, add export DH_BITS=2048 to /root/.bashrc.

Comments

  1. Angelo Babudro August 9, 2015 Leave a Reply

    Thanks a lot for figuring this out. I found that “export” didn’t do the trick for my Gentoo installation — it still used 768-bits — but this worked:

    rm -f /usr/share/dhparams.pem && BITS=2048 mkdhparams

  2. Angelo Babudro August 9, 2015 Leave a Reply

    Sorry, I meant to type:
    rm -f /usr/share/dhparams.pem && DH_BITS=2048 mkdhparams

    The man page for mkdhparams mentions a BIT variable, but it is in fact DH_BITS as you said in your article.

    Thanks again.

  3. kent August 9, 2015 Leave a Reply

    Hi,

    Thanks for your comment. I’ll investigate tomorrow and see if I wrote something mistaken in the article.

  4. jaXvi August 24, 2015 Leave a Reply

    s/DB_BITS/DH_BITS

    • kent August 24, 2015 Leave a Reply

      @jaXvi: Thank you very much!

      The mistake is corrected in the post. Somehow, somewhere on the way from the terminal to this blog post DH_BITS became DB_BITS. DH_BITS is the correct environment variable.

      Sorry!

      • jaXvi August 24, 2015 Leave a Reply

        Just a typo, np 😉
        btw, noticed this bug (#787579) in a Debian 8 server + Icedove (Thunderbird) _31.8.0_ client.
        Liked that Ctrl+Shift+j trick.
        Thanks to you!

Leave a Reply


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*