Re: [exim] TLS fatal alert for connections from web.de

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Viktor Dukhovni
Date:  
À: exim-users
Sujet: Re: [exim] TLS fatal alert for connections from web.de
The web.de TLS implementation seems to have multiple problems.

    http://archives.neohapsis.com/archives/postfix/2013-08/thread.html#291


here they were sending internal error alerts when the Postfix server
had an both an RSA and an ECDSA certificate. Their SMTP client
selected ECDSA and then failed. When the ECDSA certificate was dropped
from the configuration, TLS reputedly worked.

    - web.de/gmx.de have a borked TLS stack


    - The Postfix server in the above thread supports EECDH as well
      as (prime) EDH.  So it is possible that web.de's TLS stack is
      allergic to 1024-bit DH primes, but not to EECDH (ephemeral
      elliptic curve Diffie-Hellman key exchange).


In any case, there is evidence that web.de has multiple interop
problems, I think this is their problem to fix.

-- 
    Viktor.