Openssl problem

[ErwanG]

Hello,

We have a problem with the last release of "openssl": some emails are not delivery.
Log message: SSL_routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh_key_too_small;_connected_toX.X.X.X

1) We have updated distrib: #yum update
2) After this, we have: Openssl 1.0.1e-42.el6 (CentOS release 6.6)
Plesk12 on the server.

We have the problem with the 10 servers we have updated.
All of them with Plesk 12.

How can we resolve that?

 

[ErwanG]

It seems that the problem is servers (not ours, but mail to) vulnerable to Logjam TLS vulnerability.
I search a solution for Qmail...

 

[IgorG]

It seems that the problem is servers vulnerable to Logjam TLS vulnerability.
I search a solution for Qmail...

http://kb.odin.com/en/125741

 

[ErwanG]

Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time

..............................+...

Since 20 minutes.... is it normal?

 

[IgorG]

Since 20 minutes.... is it normal?

Yep.

 

[ErwanG]

ok. Finished.

 

[ErwanG]

We have now in the log:
sslv3_alert_handshake_failure;_connected_toX.X.X.X

Mails stays in the queue...

 

[IgorG]

What about switching to more modern Postfix MTA?

 

[ErwanG]

Igor: not yet for theses servers...

And for "sslv3_alert_handshake_failure"?

 

[IgorG]

That's mean that ssl3 connection is disabled.

 

[ErwanG]

But it's normal after this http://kb.odin.com/en/125741 no?

 

[IgorG]

But it's normal after this http://kb.odin.com/en/125741 no?

Yes, in scope of http://kb.odin.com/en/123160

 

[ErwanG]

So there isn't solution for sslv3_alert_handshake_failure;??