Closed
Bug 1335346
Opened 9 years ago
Closed 5 years ago
cipherli.st recommends cipher suite settings for dovecot/exim that result in Thunderbird not being able to connect
Categories
(Web Compatibility :: Site Reports, defect, P5)
Web Compatibility
Site Reports
Tracking
(Not tracked)
RESOLVED
INACTIVE
People
(Reporter: u534134, Unassigned)
Details
(Whiteboard: [non-compat] [thunderbird])
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:51.0) Gecko/20100101 Firefox/51.0
Build ID: 20170125094131
Steps to reproduce:
I AM using Thunderbird 45.7.0
I configured my server Exim and Dovecot to use secure Chipers suite
https://cipherli.st/
EXIM:
tls_require_ciphers = AES128+EECDH:AES128+EDH
openssl_options = +no_sslv2 +no_sslv3
Dovecot
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = AES128+EECDH:AES128+EDH
With this Thunderbird are unable to send email.
Error:
SSL_ERROR_NO_CYPHER_OVERLAP">SSL_ERROR_NO_CYPHER_OVERLAP
Actual results:
I cannot send emails from Thunderbird
Expected results:
Be able to safely send email
|
||
Comment 1•9 years ago
|
||
I don't think we have enough capacity and knowledge to get to this sort of problem anytime soon.
Since TB is open source, you might want to investigate the problem yourself.
Since TB is using Mozilla core technology for anything security-related, your best bet would be to construct a case where such error occurs using Firefox only. Then you can refer the problem to the Mozilla core team.
Looking at https://cipherli.st/, there is also Apache configuration, so this problem might be reproducible in FF alone.
Also, try TB 52 beta (https://www.mozilla.org/en-US/thunderbird/channel/), maybe the security technology has been improved since TB 45.x.
|
||
Comment 2•9 years ago
|
||
Appears not to be a supported ciper suite. The supported ones are listed here: https://dxr.mozilla.org/comm-central/rev/ee975d32deb9eaa5641f45428cd6a4b5b555a8f5/mozilla/security/manager/ssl/nsNSSComponent.cpp
|
|
||
Comment 3•9 years ago
|
||
Care to add the line number ;-(
|
|
||
Comment 4•9 years ago
|
||
And use the direct Mozilla Central link, please, since at first sight this looks like C-C.
|
|
||
Comment 5•9 years ago
|
||
|
|
||
Comment 6•9 years ago
|
||
In which case this bug should go to Core::Security:PSM (like for example bug 934663).
I'll ask a few M-C people. David and Brian, could you please comment here.
Flags: needinfo?(dkeeler)
Flags: needinfo?(brian)
|
|
||
Comment 7•9 years ago
|
||
Can you give us a link to the results from putting your domain name in https://www.ssllabs.com/ssltest/index.html ? This will help us figure out what actual cipher suites that configuration results in.
Flags: needinfo?(ocispposta)
Flags: needinfo?(dkeeler)
Flags: needinfo?(brian)
(In reply to David Keeler [:keeler] (use needinfo?) from comment #7)
> Can you give us a link to the results from putting your domain name in
> https://www.ssllabs.com/ssltest/index.html ? This will help us figure out
> what actual cipher suites that configuration results in.
Sorry no. I added to Exim and Dovecot Chipers AES256+EECDH:AES256+EDH:!aNULL
so this seems allow Thunderbird to work.
Seems so the chipters suite suggested for exim and dovecot
AES128+EECDH:AES128+EDH
are not supported by Thunderbird.
The question maybe can be: is this two chipers secure to be added or... maybe the website https://cipherli.st/ has wrong information?
I have looked at google "Exim chipers" and found that website but this suggested chipers seems not work with thunderbird. To you to evalutate if this can be an issue so chipers should be added or not.
Thanks :)
Flags: needinfo?(ocispposta)
|
|
||
Comment 9•9 years ago
|
||
Can you copy/paste the cipher suites section, then? The problem is that AES128+EECDH:AES128+EDH doesn't actually tell me what cipher suites are enabled in your servers, so I can't tell you what we would have to enable (or if we would) to make Thunderbird connect.
Flags: needinfo?(ocispposta)
|
|
Reporter | |
Comment 10•9 years ago
|
||
Flags: needinfo?(ocispposta)
|
|
||
Comment 11•9 years ago
|
||
Oh, whoops - that's not actually directly helpful since that tool scans the http server, not the imap or smtp servers. In any case, using that domain name, it seems both the imap server and the smtp server support DHE-RSA-AES256-GCM-SHA384, DHE-RSA-AES256-SHA256, and DHE-RSA-AES256-SHA. Of these, Firefox/Thunderbird supports the last one, so that should work. In about:config, are any of the security.ssl3.* preferences set to false?
In any case, to answer your question in comment 8, it looks like the recommendations at https://cipherli.st/ are at best incomplete.
Flags: needinfo?(ocispposta)
|
|
Reporter | |
Comment 12•9 years ago
|
||
Ok so maybe no issue here.
I just reported that I take ciphers configuration on https://cipherli.st/ for Exim and Dovecot, if you follow this configuration you are unable to use Thunderbird.
Just wanted report this.
I made after a edit so maybe now is working because I added DHE-RSA-AES256-SHA
Flags: needinfo?(ocispposta)
|
|
||
Comment 13•9 years ago
|
||
Ok - thanks! This is more of a tech evangelism bug, then. (Also note https://github.com/RaymiiOrg/cipherli.st/issues/58 )
Component: Untriaged → Desktop
Product: Thunderbird → Tech Evangelism
Summary: SSL_ERROR_NO_CYPHER_OVERLAP">SSL_ERROR_NO_CYPHER_OVERLAP → cipherli.st recommends cipher suite settings for dovecot/exim that result in Thunderbird not being able to connect
Version: 45 Branch → unspecified
|
||
Updated•7 years ago
|
Priority: -- → P5
|
|
||
Updated•6 years ago
|
Whiteboard: [non-compat] [thunderbird]
|
Assignee | |
Updated•6 years ago
|
Product: Tech Evangelism → Web Compatibility
|
|
||
Comment 14•5 years ago
|
||
Probably for someone on the thunderbird community to address
https://chat.mozilla.org/#/room/#thunderbird:mozilla.org
Closing here.
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → INACTIVE
You need to log in
before you can comment on or make changes to this bug.
Description
•