enable AES 128 or AES 256 for gmail in Thunderbird

User Help for Mozilla Thunderbird
hnyaji
Posts: 27
Joined: May 1st, 2009, 8:31 am

enable AES 128 or AES 256 for gmail in Thunderbird

Post by hnyaji »

Hi

How to enable AES 128 bit or AES 256 bit for gmail in Thunderbird?

thanks
Hemanth
User avatar
tanstaafl
Moderator
Posts: 49647
Joined: July 30th, 2003, 5:06 pm

Re: enable AES 128 or AES 256 for gmail in Thunderbird

Post by tanstaafl »

I think you're asking how to control what cipher is used for a secure connection.

security.ssl3.rsa_aes_128_sha (128 bit AES) and security.ssl3.rsa_aes_256_sha (256 bit AES) are enabled by default. What cipher is used gets negotiated between the email client and mail server. You 'd have to use something like a packet sniffer to find out what they negotiated. However, since the same ciphers are available in Firefox you could make a reasonable guess by making a SSL connection to Gmail using Firefox and then click on the envelope icon in the address bar, press "more information" and then "general". That shows 128bit RC4.

I then set to false all of the RC4 entries such as security.ssl3.rsa_rc4_128_md5 and tried again. I'd previously set to false many of the weaker ciphers such as all of the RC2 entries. This time it chose 256 bit AES. You can toggle these settings using the config editor in tools -> options -> advanced -> general. If you do this don't get too aggressive in disabling weak ciphers or you might cause problems with secure connections to other servers.

You might find http://support.mozilla.com/en-US/kb/Con ... FIPS+140-2 useful as a guide to what ciphers to disable.
hnyaji
Posts: 27
Joined: May 1st, 2009, 8:31 am

Re: enable AES 128 or AES 256 for gmail in Thunderbird

Post by hnyaji »

Hi

I am asking about Thunderbird, but you have said me how to disable the weak security protocols such as RC4 in Firefox!

I am using gmail in Thunderbird, and I don't know how to use AES 128 bit or AES 256 bit for gmail in it. When I disabled every other weak protocol (filter: security.ssl3 - false for every thing other than aes 128 or aes 256) in Thunderbird, gmail and hotmail refused to connect.

Please let me know how I use aes 128 or aes 256 for gmail and hotmail in Thunderbird.

I really don't bother about my security protocol in Firefox.

thanks,
Hemanth
User avatar
tanstaafl
Moderator
Posts: 49647
Joined: July 30th, 2003, 5:06 pm

Re: enable AES 128 or AES 256 for gmail in Thunderbird

Post by tanstaafl »

I already told you what to do. I suggested you tweak Firefoxs settings while connecting to gmail webmail and once you verified what it used set Thunderbird to use the same SSL3 settings. You can undo the Firefox settings afterwards if you want, it was merely a tool to try to figure out what settings to change in Thunderbird because there is no convenient way to tell what cipher Thunderbird chooses.

See http://luxsci.com/blog/256-bit-aes-encr ... urity.html . All of my ssl3 ciphers are false except for:

security.ssl3.rsa_aes_256_sha
security.ssl3.rsa_aes_128_sha
security.ssl3.rsa_fips_des_ede3_sha

security.ssl3.ecdhe_rsa_des_ede3_sha
security.ssl3.ecdhe_rsa_aes_256_sha
security.ssl3.ecdhe_rsa_aes_128_sha
security.ssl3.ecdhe_ecdsa_des_ede3_sha
security.ssl3.ecdhe_ecdsa_aes_256_sha
security.ssl3.ecdhe_ecdsa_aes_128_sha
security.ssl3.ecdh_rsa_des_ede3_sha
security.ssl3.ecdh_rsa_aes_256_sha
security.ssl3.ecdh_rsa_aes_128_sha
security.ssl3.ecdh_ecdsa_des_ede3_sha
security.ssl3.ecdh_ecdsa_aes_256_sha
security.ssl3.ecdh_ecdsa_aes_128_sha

ecdsa is "Elliptic Curve DSA". ecdh is "Elliptic Curve Diffie-Hellman"
http://www.mozilla.org/projects/securit ... ithms.html

I have no problem with secure connections to hotmail, gmail, aim, gmx, and fastmail.
hnyaji
Posts: 27
Joined: May 1st, 2009, 8:31 am

Re: enable AES 128 or AES 256 for gmail in Thunderbird

Post by hnyaji »

Hi

how would I know, which protocol is being used by my email service provider on Thunderbird?

thanks,
Hemanth
hnyaji
Posts: 27
Joined: May 1st, 2009, 8:31 am

Re: enable AES 128 or AES 256 for gmail in Thunderbird

Post by hnyaji »

Hi

under security.ssl3 I have all to default other than the following keys set to false.

security.ssl3.ecdh_ecdsa_rc4_128_sha
security.ssl3.ecdh_rsa_rc4_128_sha
security.ssl3.ecdhe_ecdsa_rc4_128_sha
security.ssl3.ecdhe_rsa_rc4_128_sha
security.ssl3.rsa_rc4_128_md5
security.ssl3.rsa_rc4_128_sha

I could send and receive emails on my gmail (imap.gmail.com - #993 - SSL; smtp.gmail.com - #25 -TLS). But I can only receive emails to my hotmail (pop3.live.com -#995 - SSL; smtp.live.com - #25 - TLS), and can't send!

Error message follows:

Image

How could I make hotmail to send emails on my Thunderbird?

thanks
Hemanth
User avatar
tanstaafl
Moderator
Posts: 49647
Joined: July 30th, 2003, 5:06 pm

Re: enable AES 128 or AES 256 for gmail in Thunderbird

Post by tanstaafl »

hnyaji wrote:how would I know, which protocol is being used by my email service provider on Thunderbird

The only way I can think of is to use a protocol analyzer like WireShark and I'm not sure that would let you see it negotiating what cipher to use. I've read man pages for telnet that mention that "telnet protocol negotiation goes encrypted" so its possible that occurs with any email client. That is why I keep talking about seeing what cipher it uses with webmail.

If you read the article I linked to, he apparently leverages the fact that he is an admin at the email provider to see what cipher Thunderbird uses. I don't know of an equivalent to a SSL test site like https://www.fortify.net/sslcheck.html that you can use with Thunderbird.

You keep asking the same question hoping I will eventually give you a different answer. We're not run by or associated with Mozilla despite the similarity in names and the fact their support page links to us. We're a independent user community, and I'm just a user like yourself.

hnyaji wrote:How could I make hotmail to send emails on my Thunderbird?

I assume it worked before. Make a webmail connection to Hotmail and see what cipher it uses. Perhaps Hotmail doesn't support AES and the strongest cipher it supports is DES or 128 bit RC4.
User avatar
tanstaafl
Moderator
Posts: 49647
Joined: July 30th, 2003, 5:06 pm

Re: enable AES 128 or AES 256 for gmail in Thunderbird

Post by tanstaafl »

I just tried to login to hotmail webmail and it defaulted to "3DES-EDE-CBC 168bit". I had security.ssl3.rsa_des_ede3_sha (168-bit Triple DES with RSA and a SHA1 MAC) true in Firefox but false in Thunderbird. Try setting it true.
hnyaji
Posts: 27
Joined: May 1st, 2009, 8:31 am

Re: enable AES 128 or AES 256 for gmail in Thunderbird

Post by hnyaji »

Hi

all those you said above for security.ssl3 are true for me as well. With some others in this filter, set to true or false. Then why am I unable to send on hotmail?

thanks
Hemanth
hnyaji
Posts: 27
Joined: May 1st, 2009, 8:31 am

Re: enable AES 128 or AES 256 for gmail in Thunderbird

Post by hnyaji »

Hi

security.ssl3.rsa_des_ede3_sha was already true for me on Thunderbird!

thanks,
Hemanth
User avatar
tanstaafl
Moderator
Posts: 49647
Joined: July 30th, 2003, 5:06 pm

Re: enable AES 128 or AES 256 for gmail in Thunderbird

Post by tanstaafl »

I have no idea. My hotmail account in Thunderbird works but its webmail refuses to log me in (claims "The Windows Live Network is unavailable from this site") so I have low expectations of Hotmail working.

Did it work before you started tweaking SSL settings?
hnyaji
Posts: 27
Joined: May 1st, 2009, 8:31 am

Re: enable AES 128 or AES 256 for gmail in Thunderbird

Post by hnyaji »

Hi

yes, the hotmail was fine on Thunderbird before I changed the following to false.

security.ssl3.ecdh_ecdsa_rc4_128_sha
security.ssl3.ecdh_rsa_rc4_128_sha
security.ssl3.ecdhe_ecdsa_rc4_128_sha
security.ssl3.ecdhe_rsa_rc4_128_sha
security.ssl3.rsa_rc4_128_md5
security.ssl3.rsa_rc4_128_sha

Is any of these true for you on Thunderbird?

thanks,
Hemanth
User avatar
tanstaafl
Moderator
Posts: 49647
Joined: July 30th, 2003, 5:06 pm

Re: enable AES 128 or AES 256 for gmail in Thunderbird

Post by tanstaafl »

Nope.
hnyaji
Posts: 27
Joined: May 1st, 2009, 8:31 am

Re: enable AES 128 or AES 256 for gmail in Thunderbird

Post by hnyaji »

Hi

are these same for you?

pop3.live.com -#995 - SSL
smtp.live.com - #25 - TLS

thanks,
Hemanth
User avatar
tanstaafl
Moderator
Posts: 49647
Joined: July 30th, 2003, 5:06 pm

Re: enable AES 128 or AES 256 for gmail in Thunderbird

Post by tanstaafl »

No, I'm using port 587 for the SMTP server. I can't use port 25 because my ISP blocks it. See http://kb.mozillazine.org/Hotmail

I get a error about it can't get connect to the SMTP server (same as the one whose image you provided) when I try to send a message using the hotmail smtp server. I had that problem before I ever tweaked the SSL cipher settings. That's why I normally use a different email providers SMTP server with hotmail. That works fine using the latest SSL cipher settings.
Post Reply