You are not logged in.
- Topics: Active | Unanswered
#1 2026-03-23 09:38:40
- zappathustra
- Member
- Registered: 2014-06-15
- Posts: 30
[SOLVED] Can't send mail with Mutt because of SSL "dh key too small"..
I manage three email accounts with Mutt. With one of them, sending email returns:
SSL a échoué : error:0A00018A:SSL routines::dh key too smallwhere `a échoué' means `failed'. This happens on only one of my two laptops, and there was a time when it worked properly on both.
What I can find here and there points to a problem on the server side; but then it should affect my other computer too; as an unsure fix, I find changing
CipherString = DEFAULT@SECLEVEL=2to
CipherString = DEFAULT@SECLEVEL=1in /etc/ssl/openssl.cnf, but there is no such line in that file. Before trying adding it anyway, which I'm not very comfortable with, since I'm a total newb with security issues, maybe somebody here has a clue?
Last edited by zappathustra (2026-03-23 10:38:51)
Offline
#2 2026-03-23 10:18:55
- -thc
- Member
- Registered: 2017-03-15
- Posts: 1,117
Re: [SOLVED] Can't send mail with Mutt because of SSL "dh key too small"..
The probable cause is changes to OpenSSL due to the Logjam attacks. Quote from stackoverflow:
While it is caused by changes to OpenSSL the problem is actually at the server side. The server is using a weak DH key within the key exchange and recent versions of OpenSSL enforce a non-weak DH key because of the Logjam attack.
If the server supports ciphers which don't use DH key exchange you can work around the problem by restricting the ciphers offered by the client so that they don't include any DH ciphers.
This must be done via "Muttrc" (changing openssl.cnf will achieve nothing):
ssl_ciphers = 'DEFAULT:!DH'Offline
#3 2026-03-23 10:36:43
- zappathustra
- Member
- Registered: 2014-06-15
- Posts: 30
Re: [SOLVED] Can't send mail with Mutt because of SSL "dh key too small"..
The probable cause is changes to OpenSSL due to the Logjam attacks. Quote from stackoverflow:
While it is caused by changes to OpenSSL the problem is actually at the server side. The server is using a weak DH key within the key exchange and recent versions of OpenSSL enforce a non-weak DH key because of the Logjam attack.
If the server supports ciphers which don't use DH key exchange you can work around the problem by restricting the ciphers offered by the client so that they don't include any DH ciphers.
This must be done via "Muttrc" (changing openssl.cnf will achieve nothing):
ssl_ciphers = 'DEFAULT:!DH'
That worked! Major pain in the back removed, thanks. Wondering why the other computer doesn't need the fix, but again, I can't get my head around security...
Offline
#4 2026-03-23 12:02:49
- -thc
- Member
- Registered: 2017-03-15
- Posts: 1,117
Re: [SOLVED] Can't send mail with Mutt because of SSL "dh key too small"..
Nice.
Offline