Re: [exim] TLS fatal alert for connections from web.de

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MJasper Wallace at <-
MViktor Dukhovni at ->
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] TLS fatal alert for connections from web.de
The web.de TLS implementation seems to have multiple problems. 

    http://archives.neohapsis.com/archives/postfix/2013-08/thread.html#291


here they were sending internal error alerts when the Postfix server
had an both an RSA and an ECDSA certificate. Their SMTP client
selected ECDSA and then failed. When the ECDSA certificate was dropped
from the configuration, TLS reputedly worked. 

    - web.de/gmx.de have a borked TLS stack


    - The Postfix server in the above thread supports EECDH as well
      as (prime) EDH.  So it is possible that web.de's TLS stack is
      allergic to 1024-bit DH primes, but not to EECDH (ephemeral
      elliptic curve Diffie-Hellman key exchange).


In any case, there is evidence that web.de has multiple interop
problems, I think this is their problem to fix. 

-- 
    Viktor.


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[exim] Forwarding to destination / SRS / SPF[exim] dkim_disable_verify - in RCPT ACL?->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)