Dear Carsten, in the NEWS file of the latest Icedove package in Debian, you are writing:
> This means every connection from Thunderbird/Icedove to a mail server will > using TLS 1.2 with no fall back if you have configured TLS/SSL or STARTTLS > for > your connections. > > Some users reported trouble by this behavior. In case you are unable to get > or sent any mails anymore from or to your mail server please ensure that > your email provider is fully supporting TLS 1.2 if possible. Something here cannot be quite right, or at least it's very misleading: I use an IMAP accounts for an e-mail address at Arcor, and the server only supports TLS 1.0. Still, Icedove can connect to that server just fine. Also, "security.tls.version.min" is set to 0 by default (indicating SSLv3 as the least supported version). So, there definitely is some kind of fallback. Maybe that's the fallback that TLS provides anyway. A TLS 1.2-capable client connecting to a server will say something like "I support TLS 1.0-1.2, please use the best you can". A properly configured server will then choose the latest supported version. This fallback is cryptographically protected against downgrade attacks. And Icedove seems to do it, else I would be unable to connect to Arcor's IMAP server. Firefox/Iceweasel has an *additional* layer of fallback in case the first attempt fails, which can be caused by incorrect TLS implementations on the server or a middlebox. *That* fallback is currently not protected against downgrade attacks, it's the one that enables Poodle, and it could be mitigated by TLS_FALLBACK_SCSV [1]. Maybe that's the fallback that Icedove/Thunderbird do not do? In this case, the NEWS is phrased fairly misleading, I think. It should clarify that servers with older TLS versions will generally work just fine, but a very small fraction of servers that have broken TLS implementations, or than run behind firewalls breaking TLS, could cease to function. [1] <https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00> Kind regards Ralf -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
