DH Parameter Limit and Logjam





A client side upgrade to libssl caused my mail client to fail indicating an undersized DH parameter. The reason for this was straightforward: a potential exploit , "LOGJAM" , made an increase of the minimum parameter length necessary. 2048 bits is the recommended working value.

Unfortunately the server side side fix was not so easy, since it was quite hard to find where the various certificates etc. are located.

Openssl worked ok to diagnose the smtp link, but would not connect properly using imap protocol for some reason.
A post by Thomas Barth was a helpful start.

The following sequence increased the DH parameter, and passed it into courier imap on a Debian server.


mv /etc/courier/dhparams.pem /etc/courier/dhparams.pem.old
openssl dhparam -out /etc/courier/dhparams.pem 2048
chmod 600 /etc/courier/dhparams.pem
# then edit /etc/courier/imapd.pem , and replace the "DH PARAMETERS" section
# after the certificate with contents of the just now generated /etc/courier/dhparams.pem
# then restart
/etc/init.d/courier-imap restart
/etc/init.d/courier-imap-ssl restart