9. December 2015

Thunderbird and Outlook solution of problem with Courier IMAP sslv3 alert illegal parameter

E-mail clients like Thunderbird or Outlook stopped to communicate with Courier IMAP/SMTP/POP TLS after some upgrade.

The only clue in log file was this error message:

courier couriertls: accept: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter

The problem was that certificate for IMAP (/etc/courier/imapd.pem) and /etc/courier/dhparam.pem were containing too short key. The short key was sufficient in past for encrypted communication. Unfortunately maintainers of Debian package forgot to add fix for upgrade.

It is very simple to fix the issue. Just generate DH with sufficient length.

DH_BITS=2048 mkdhparams

This command will update /etc/courier/dhparm.pem.

Make sure to update all pem files in case that they contain DH record.

Restart services and clients should be able to reconnect without problem.

If you still experience some issues with PEM files check out article PEM routines:PEM_read_bio:no start line.

19. February 2012

Tomcat 7 and curl – SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

There is very annoying bug in Open SSL 1.0 which affects curl. When you try to access Tomcat 7 with https with curl you’ll get fancy error:

curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

-k parameter is not working at all

You’re not able to invoke any request against Tomcat 7 with https in default configuration.

The solution is to restrict available ciphers in Tomcat’s https connector:


Restart Tomcat and curl will work.