thunderbird tls handshake not for imap connection
Hi, Recently thunderbird stopped being able to connect to mail.talktalk.net. When it connect another server I see. 304 14.502182 192.168.0.2 213.120.69.4 TLSv1.2 571 Client Hello
Outbound connection to imap server from thunderbird 306 14.515497 213.120.69.4 192.168.0.2 TLSv1.2 1500 Server Hello reply from imap server 308 14.515497 213.120.69.4 192.168.0.2 TLSv1.2 771 Certificate, Server Key Exchange, Server Hello Done
cert exchange for tls 1.2 whereas for mail.talktalk.net I see. 9 146.403246 192.168.0.2 153.92.174.228 TLSv1.3 571 Client Hello 41 146.440457 153.92.174.228 192.168.0.2 TLSv1.3 1500 Server Hello, Change Cipher Spec, Application Data
49 146.442019 153.92.174.228 192.168.0.2 TLSv1.3 1385 Application Data
51 146.452209 192.168.0.2 153.92.174.228 TLSv1.3 134 Change Cipher Spec, Application Data The cert exchange from hello doesn't start. They will likely blame the client though I am fairly convinced it's or pki cert problem. What the server hello contents contains. TLSv1.3 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec
Content Type: Change Cipher Spec (20) Version: TLS 1.2 (0x0303) Length: 1 Change Cipher Spec Message
My guess they've enabled tls 1.3 protocol but not configured it work and are relying a fall back to 1.2. The working connection doesn't initilases as tls 1.2. Is there a way force a thuinderbird to use a specific tls version by server.
Svi odgovori (1)
Hi, Can someone confirm that root cause is an incorrect server hello responce. if connect Working imap connection to a server configured for tls1.2 I see the following responce Frame 12: 1500 bytes on wire (12000 bits), 1500 bytes captured (12000 bits) on interface \Device\NPF_{A6ABBF3F-4835-41BB-9C1D-FE553DAF1657}, id 0 Ethernet II, Src: SkyUk_ec:ae:f1 (80:72:15:ec:ae:f1), Dst: RivetNet_18:ed:1d (9c:b6:d0:18:ed:1d) Internet Protocol Version 4, Src: 213.120.69.1, Dst: 192.168.0.2 Transmission Control Protocol, Src Port: 993, Dst Port: 57371, Seq: 1, Ack: 518, Len: 1446 Transport Layer Security
TLSv1.2 Record Layer: Handshake Protocol: Server Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 63 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 59 Version: TLS 1.2 (0x0303) Random: bf73444ac65d629b2554b9884babce404dd1582837670d044c8774108446f2ab Session ID Length: 0 Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Compression Method: null (0) Extensions Length: 19 Extension: renegotiation_info (len=1) Type: renegotiation_info (65281) Length: 1 Renegotiation Info extension Extension: session_ticket (len=0) Type: session_ticket (35) Length: 0 Data (0 bytes) Extension: ec_point_formats (len=2) Type: ec_point_formats (11) Length: 2 EC point formats Length: 1 Elliptic curves point formats (1) Extension: extended_master_secret (len=0) Type: extended_master_secret (23) Length: 0 [JA3S Fullstring: 771,49199,65281-35-11-23] [JA3S: 92b5be817fd08957ff9f1384aa41f438]
Failing connection to imap connection to mail.talktalk.net
Frame 6: 1500 bytes on wire (12000 bits), 1500 bytes captured (12000 bits) on interface \Device\NPF_{A6ABBF3F-4835-41BB-9C1D-FE553DAF1657}, id 0 Ethernet II, Src: SkyUk_ec:ae:f1 (80:72:15:ec:ae:f1), Dst: RivetNet_18:ed:1d (9c:b6:d0:18:ed:1d) Internet Protocol Version 4, Src: 153.92.174.228, Dst: 192.168.0.2 Transmission Control Protocol, Src Port: 993, Dst Port: 53655, Seq: 1, Ack: 518, Len: 1446 Transport Layer Security
TLSv1.3 Record Layer: Handshake Protocol: Server Hello Content Type: Handshake (22) Version: TLS 1.2 (0x0303) Length: 122 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 118 Version: TLS 1.2 (0x0303) Random: 6294798c22ce2d0b8ce11f343f85c42943945e412ea87ad7882da911fb508060 Session ID Length: 32 Session ID: 5e88d87fcad63a2f5f80cf80e2711d564a3ca32448458f9f891635018d4b0c83 Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302) Compression Method: null (0) Extensions Length: 46 Extension: supported_versions (len=2) Extension: key_share (len=36) [JA3S Fullstring: 771,4866,43-51] [JA3S: 15af977ce25de452b96affa2addb1036] TLSv1.3 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec Content Type: Change Cipher Spec (20) Version: TLS 1.2 (0x0303) Length: 1 Change Cipher Spec Message TLSv1.3 Record Layer: Application Data Protocol: Internet Message Access Protocol Opaque Type: Application Data (23) Version: TLS 1.2 (0x0303) Length: 27 Encrypted Application Data: 40e7b7469dbb3e53588826fb4d349ca927ee6ddf90d24d114f8b19 [Application Data Protocol: Internet Message Access Protocol]
This contents of the server_hello for mail.talktalk.net windows 10 supports the specified cipher. PS > Get-Tlsciphersuite
KeyType : 0
Certificate :
MaximumExchangeLength : 0
MinimumExchangeLength : 0
Exchange :
HashLength : 0
Hash :
CipherBlockLength : 16
CipherLength : 256
BaseCipherSuite : 4866
CipherSuite : 4866
Cipher : AES
Name : TLS_AES_256_GCM_SHA384
Protocols : {772}
Is it normal for tls1.3 server_hello to contain tls1.2 fields? I would expect tls1.3 payload to have tls1.3 element tags within it not tls1.2!