Hi, > propably you are right. I haven't yet any problems depending on this > bug report. But I'm also no professional for anything related to mail > server and there configuration. Unfortunately the exim maintainers > haven't say something about this topic, so yes, maybe the conclusion > in the NEWS and DEBIAN.readme are not fully correct. But as longer I > think about it I'm willing to say you are right and mostly the server > configs are not fully correct, especially for the settings around the > Ciphersuites. > > Also unfortunately Mozilla hasn't a really clear changelog there we > can see that's really changed inside the release. The full changelog > [1] for version 31 nor the Thunderbird Blog [2] made a clear > statement.
On a quick Google search, the only remark I found is the following [1]: > There is currently no fallback from TLS 1.1/1.2 to earlier protocols. > Thus, selecting security.tls.version.max = 2 (or 3) for TLS 1.1 (or > 1.2) support results in the connection failing when the server > connected to doesn't support that version. Once the fallback is > implemented, the default for security.tls.version.max will be changed > to 3 to utilize the most recent TLS 1.2 version by default. That one is also indirectly referenced in this bugreport (through serverfault). This sounds very similar to what you described. However, it's probably outdated. As mentioned there, the default has only been switched once that fallback has been implemented. I know that Firefox supported TLS 1.2 for a few releases before it got enabled per default, because the fallback has been missing - and only after it has been implemented, TLS 1.2 got enabled per default with Firefox 27. Maybe the same applies to Thunderbird, and I would expect that Thunderbird 31 contains a more recent networking code than Firefox 27. Regarding the problem with exim, I have no idea. The problem may well be related to the fallback mechanism, but then it's a bug in that mechanism (that should probably be reported upstream) and not the complete lack thereof. Dmitry, if you are reading this - it would be interesting to know the exact set of ciphers and protocols supported by the problematic server. This can be obtained, for example, with <https://www.ralfj.de/git/tls-check.git>. I am using postfix on my server, and I never had any problems wrt. TLS. [1] <http://kb.mozillazine.org/Security.tls.version.*#Caveats> Kind regards Ralf -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
