Exim after Thunderbird update: "Could not negotiate a supported cipher suite" [closed]

ssl thunderbird starttls exim gnutls

Recently, after I installed updates on my Kubuntu 14.04. system and a new version of thunderbird was installed, I could not send emails any more. It prompts:

Sending of message failed. The message could not be sent because the connection to SMTP server [..] was lost in the middle of the transaction. Try again or contact your network administrator.

Since I am the administrator of my mail server (exim) I checked the logs. Everytime I try to send an email with thunberbird it says:

TLS error on connection from [..] (gnutls_handshake): Could not negotiate a supported cipher suite.

That's odd. How could that happen out of the blue? I googled the problem, but other people with this message in the logs had something wrong with their certificate installation (too new algorithm or the like). But I did not change anything with my certificate and additionally it is still no problem to send mails with K-9 Mail from my android phone (which has the same TLS settings).

My Server runs Debian 7.6 with EXIM 4.80.

(In case it matters: My certificates are signed by CACert).

For now I downgraded thunderbird (sudo apt-get install thunderbird=1:24.4.0+build1-0ubuntu1). This worked, but is of course no permanent solution.

What is wrong and how can I fix it?


Solution 1:

Firefox and Thunderbird 31 removed support for weak cipher suites, therefore you are getting this error.

You need to update your server's SSL configuration according to this Mozilla wiki article.

A quote of the recommended backward compatible cipher suite string:

  • Ciphersuite: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
  • Versions: SSLv3, TLSv1, TLSv1.1, TLSv1.2
  • RSA key size: 2048
  • DH Parameter size: 1024
  • Elliptic curves: secp256r1, secp384r1, secp521r1

You should be able to specify the ciphers with tls_require_ciphers directive. It should accept the Ciphersuite string from above.

Solution 2:

As you cam read here http://kb.mozillazine.org/Security.tls.version.*, Thunderbird with Security.tls.version.max set to 2 or 3 will not fallback to lower settings.

Even if you configure Exim 4.80 with the tls_require_ciphers as mentioned above, it will not offer ECDHE at first place (at least that's what I've read somewhere so believe this with care). Maybe this also is a certificate issue and renewing it with different settings could help, too.

So to have Thunderbird behave as before go the the configuration editor (Preferences -> Advanced -> Config Editor (Button) ) and search for tls then change security.tls.version.max to 1 and it should work again.

Related

A word that means 'hateful but indispensable'
What does the expression "With a twist" means?
Is there a name for this type of sentence: "The higher the temperature, the higher the pressure"? [duplicate]
Antonym of "perfect, flawless" with the meaning that *everything* is faulty
What is the difference between "noun", "proper noun", and "name"?
What is a good word to describe someone who is empathetic, quick, and witty in conversation
What does “Optimism keeps us moving forward rather than to the nearest ‘high-rise ledge’” mean?
Term shorter than "microblog" as generic equivalent of "tweet"
Can I start a sentence with Then? [closed]
Difference between "understand" and "comprehend" [closed]
Word that means "private word used by a group"
Is "could've" or "should've" standard English?