couriertls: accept: error:14094417:SSL routines:SSL3_READ_BYTES:sslv3 alert illegal parameter

Just found this error in my system log on my Gentoo system.

I’m running Courier-IMAP with self signed SSL certificates, and I’m using Thunderbird 38.1.0 as my mail client.

And after I upgrade to Thunderbird 38.1.0 I couldn’t get my mail anymore, and the system log said this couriertls: accept: error:14094417:SSL routines:SSL3_READ_BYTES:sslv3 alert illegal parameter every time I tried to connect with Thunderbird.

In Thunderbird, pressing Ctrl+Shift+J reveals the Thunderbird Error Console. It gives out much more detailed information than those error boxes with Something went wrong messages.

Thunderbird is not happy with number of bits in the DH-parameters. Recently they bumped the limit from 768-bits to at least 1024-bits.

The error turns out to be in a file called /usr/shared/dhparams.pem. This file contains DH-parameters for Courer IMAP and it’s regenerated regularly, with a minimum age of 25 days. That file is supposed to be regenerated automatically on either reboot or once per month, but I haven’t put effort into finding out who or what does it. A search for mkdhparams in /etc/ yielded no results.

To solve our problem here and now, do this in a root terminal:

export DH_BITS=2048
rm /usr/share/dhparams.pem; mkdhparams

To permanently store the number of the bits, add export DH_BITS=2048 to /root/.bashrc.