Avatar for Username

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

话题已存档。 如果需要帮助请提出新问题。

no cypher overlap - TLS and QMAIL

  • 5 个回答
  • 1 人有此问题
  • 5 次查看
  • 最后回复者为 mopani

mopani
mopani
more options

Upgrading to Thunderbird 38.1+ breaks SMTP TLS with Qmail.

Timestamp: 2015-08-22 21:33:32 Error: An error occurred during a connection to mail.metatek.org:465. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)

I recently replaced the certificates per https://weakdh.org/sysadmin.html but this problem with Thunderbird started more than a week later.

I find this note at http://kb.odin.com/en/123160 : 

  Qmail MTA

  Create (or edit) the /var/qmail/control/tlsserverciphers file so it looks like:

  ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:+HIGH:+MEDIUM

  Note: disabling SSLv3 cipher leads to impossibility to use 465 (TLS) in Thunderbird.

I find that if I enable SSLv3 I can send with TLS on port 465 or STARTTLS on port 587. This sounds like a bug that should be fixed.

Upgrading to Thunderbird 38.1+ breaks SMTP TLS with Qmail. Timestamp: 2015-08-22 21:33:32 Error: An error occurred during a connection to mail.metatek.org:465. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) I recently replaced the certificates per https://weakdh.org/sysadmin.html but this problem with Thunderbird started more than a week later. I find this note at http://kb.odin.com/en/123160 : Qmail MTA Create (or edit) the /var/qmail/control/tlsserverciphers file so it looks like: ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:+HIGH:+MEDIUM Note: disabling SSLv3 cipher leads to impossibility to use 465 (TLS) in Thunderbird. I find that if I enable SSLv3 I can send with TLS on port 465 or STARTTLS on port 587. This sounds like a bug that should be fixed.

被采纳的解决方案

Solution: switched server from qmail to postfix which is easier to configure and more transparent in specifying cipher suites & certificates.

定位到答案原位置 👍 0

所有回复 (5)

christ1
christ1
  • Top 25 Contributor
more options

What cipher suites does your server offer? Note, the sequence is important. This is a good example: https://www.grc.com/miscfiles/SChannel_Cipher_Suites.txt

由christ1于修改

mopani
mopani 提问者
more options

I don't know how to tell what cipher suites the server offers for SMTP. (IMAP works fine, its just SMTP that is the problem.)

starttls.info says:

Protocol 

   Supports SSLV3.
   Supports TLSV1.
   Supports TLSV1.1.
   Supports TLSV1.2.

Key exchange 

   Key size is 2048 bits; that's good.

Cipher 

   Weakest accepted cipher: 128.
   Strongest accepted cipher: 256.

But that's not cipher suites.

mopani
mopani 提问者
more options

How do I find out what cipher suites Thunderbird prefers?

christ1
christ1
  • Top 25 Contributor
more options
I don't know how to tell what cipher suites the server offers for SMTP.

If you're the admin of the server you should be able to tell that. Google is your friend.

How do I find out what cipher suites Thunderbird prefers?

That isn't really the point. If you set up your server for the cipher suites as per the GRC information I'm certain you won't see the 'ssl_error_no_cypher_overlap' error.

mopani
mopani 提问者
more options

选择的解决方案

Solution: switched server from qmail to postfix which is easier to configure and more transparent in specifying cipher suites & certificates.