為了改善您的使用體驗,本網站正在進行維護,部分功能暫時無法使用。若本站的文件無法解決您的問題,想要向社群發問的話,請到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 發問,我們的社群成員將很快會回覆您的疑問。

搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

了解更多

no cypher overlap - TLS and QMAIL

  • 5 回覆
  • 1 有這個問題
  • 5 次檢視
  • 最近回覆由 mopani

more options

Upgrading to Thunderbird 38.1+ breaks SMTP TLS with Qmail.

Timestamp: 2015-08-22 21:33:32 Error: An error occurred during a connection to mail.metatek.org:465. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)

I recently replaced the certificates per https://weakdh.org/sysadmin.html but this problem with Thunderbird started more than a week later.

I find this note at http://kb.odin.com/en/123160 :

  Qmail MTA
  Create (or edit) the /var/qmail/control/tlsserverciphers file so it looks like:
  ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:+HIGH:+MEDIUM
  Note: disabling SSLv3 cipher leads to impossibility to use 465 (TLS) in Thunderbird.

I find that if I enable SSLv3 I can send with TLS on port 465 or STARTTLS on port 587. This sounds like a bug that should be fixed.

Upgrading to Thunderbird 38.1+ breaks SMTP TLS with Qmail. Timestamp: 2015-08-22 21:33:32 Error: An error occurred during a connection to mail.metatek.org:465. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) I recently replaced the certificates per https://weakdh.org/sysadmin.html but this problem with Thunderbird started more than a week later. I find this note at http://kb.odin.com/en/123160 : Qmail MTA Create (or edit) the /var/qmail/control/tlsserverciphers file so it looks like: ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:+HIGH:+MEDIUM Note: disabling SSLv3 cipher leads to impossibility to use 465 (TLS) in Thunderbird. I find that if I enable SSLv3 I can send with TLS on port 465 or STARTTLS on port 587. This sounds like a bug that should be fixed.

被選擇的解決方法

Solution: switched server from qmail to postfix which is easier to configure and more transparent in specifying cipher suites & certificates.

從原來的回覆中察看解決方案 👍 0

所有回覆 (5)

more options

What cipher suites does your server offer? Note, the sequence is important. This is a good example: https://www.grc.com/miscfiles/SChannel_Cipher_Suites.txt

由 christ1 於 修改

more options

I don't know how to tell what cipher suites the server offers for SMTP. (IMAP works fine, its just SMTP that is the problem.)

starttls.info says:

Protocol

   Supports SSLV3.
   Supports TLSV1.
   Supports TLSV1.1.
   Supports TLSV1.2.

Key exchange

   Key size is 2048 bits; that's good.

Cipher

   Weakest accepted cipher: 128.
   Strongest accepted cipher: 256.

But that's not cipher suites.

more options

How do I find out what cipher suites Thunderbird prefers?

more options
I don't know how to tell what cipher suites the server offers for SMTP.

If you're the admin of the server you should be able to tell that. Google is your friend.

How do I find out what cipher suites Thunderbird prefers?

That isn't really the point. If you set up your server for the cipher suites as per the GRC information I'm certain you won't see the 'ssl_error_no_cypher_overlap' error.

more options

選擇的解決方法

Solution: switched server from qmail to postfix which is easier to configure and more transparent in specifying cipher suites & certificates.