Author Topic: Adding support for TLSv1.2  (Read 26892 times)

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12742
Re: No support for TLSv1.2
« Reply #15 on: August 04, 2014, 01:59:24 am »
>> why that is that it only works with strict mode

Android has several different ways to create SSL sockets. They all report TLSv1.2 as supported, but -- from Postfix logs -- not all of them actually use it.

This is with Android 4.4.

With Android L preview (future 5.0?) it was working already, but I'm also not sure about the strict vs. accept all thing.

If you're security minded, why a self-signed certificate?

>> Do you ever interact with the author of K9

I don't know any of the 100+ people working on K9 (except maybe without my knowing).
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

scanno

  • Newbie
  • *
  • Posts: 43
Re: No support for TLSv1.2
« Reply #16 on: August 04, 2014, 04:00:59 am »
One caveat:

It only works with "STARTTLS (strict)" and "SSL (strict)".

The "STARTTLS (accept any)" and "SSL (accept any)" variations use TLSv1 even when my code asks for TLSv1.2.

@0brad0

So there you have it. Just wait for the next -beta build of AquaMail.

Thanks for bringing it up.

Can you please explain why that is that it only works with strict mode? Frustrating since I am using self signed certs and this wouldn't help me.

Well either way it is still a step forward and a bug fixed ;)

Do you ever interact with the author of K9? If so can you please pass this issue on to the author.

For home use, check https://www.startssl.com for free server certificates. I am using this and works fine. The root certificate is in the Android Trust Base.
I was using cacert.org certificates but their root and intermediate certificates are not included in Android.

Verstuurd vanaf mijn TF300T met Tapatalk


0brad0

  • Newbie
  • *
  • Posts: 9
Re: No support for TLSv1.2
« Reply #17 on: August 04, 2014, 05:56:22 am »
For home use, check https://www.startssl.com [nofollow] for free server certificates. I am using this and works fine. The root certificate is in the Android Trust Base.
I was using cacert.org certificates but their root and intermediate certificates are not included in Android.

Thanks for pointing that out. I just came across StartSSL earlier while looking around. I'm looking at generating a cert for my use. Yes I have heard of CAcert but there are issues with using their certs even outside of Android.

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12742
Re: No support for TLSv1.2
« Reply #18 on: August 04, 2014, 03:35:20 pm »
I did more testing today.

It's a bit of a hassle, having to reconfigure some server side stuff, but turned out to be worth it.

Using a Nexus 5 with Android 4.4.4, I was seeing TLSv1.2 in postfix logs, for all four encryption types:

Quote
SSL strict:

Aug  4 14:45:45 li463-125 postfix/smtps/smtpd[17656]: Anonymous TLS connection established from [snip]: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)

SSL accept any:

Aug  4 14:46:37 li463-125 postfix/smtps/smtpd[17656]: Anonymous TLS connection established from [snip]: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)

STARTTLS strict:

Aug  4 14:47:24 li463-125 postfix/submission/smtpd[17705]: Anonymous TLS connection established from [snip]: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)

STARTTLS accept any:

Aug  4 14:48:09 li463-125 postfix/submission/smtpd[17705]: Anonymous TLS connection established from [snip]: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)

So, since the proof is in the pudding, here is a new build:

http://www.aqua-mail.com/download/AquaMail-market-1.4.1-56-beta6.5.apk

Please try it and give me your feedback.
« Last Edit: August 04, 2014, 04:59:27 pm by Kostya Vasilyev, Aqua Mail »
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

scanno

  • Newbie
  • *
  • Posts: 43
Re: Adding support for TLSv1.2
« Reply #19 on: August 04, 2014, 07:02:53 pm »
Still getting SSLv1:

Aug  4 16:59:26 micro postfix/smtpd[24874]: Anonymous TLS connection established from <cut>: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)

Verstuurd vanaf mijn Nexus 10 met Tapatalk


Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12742
Re: Adding support for TLSv1.2
« Reply #20 on: August 04, 2014, 07:10:25 pm »
@scanno - don't happen to own a Nexus 10.

Try Aqua's debug logging (logcat probably easier, I assume you have "adb").

The preferred ciphers / protocols are computed once and cached, so you'll need to reboot the device or kill and restart Aqua.

You should see something like this, like I do on my HTC One Max

Quote
08-04 19:08:05.457 I/SSLHardening(16482): Hardening reorder: [SSLv3, TLSv1, TLSv1.1, TLSv1.2], [TLSv1.2, TLSv1.1, TLSv1, SSLv3], null -> [TLSv1.2, TLSv1.1, TLSv1, SSLv3]


This means that SSLSocket.getSupportedProtocols returned: [SSLv3, TLSv1, TLSv1.1, TLSv1.2] (unordered)
Aqua's preferred protocols are: [TLSv1.2, TLSv1.1, TLSv1, SSLv3] (ordered)
Computed from above for use: [TLSv1.2, TLSv1.1, TLSv1, SSLv3] (ordered)
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

scanno

  • Newbie
  • *
  • Posts: 43
Re: Adding support for TLSv1.2
« Reply #21 on: August 04, 2014, 07:40:49 pm »
Yes that is correct, i get
I/SSLHardening( 2691): Hardening reorder: [SSLv3, TLSv1, TLSv1.1, TLSv1.2], [TLSv1.2, TLSv1.1, TLSv1, SSLv3], null -> [TLSv1.2, TLSv1.1, TLSv1, SSLv3]

Perhaps my postfix config is not correct

Verstuurd vanaf mijn Nexus 10 met Tapatalk


Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12742
Re: Adding support for TLSv1.2
« Reply #22 on: August 04, 2014, 07:56:17 pm »
FWIW - I was testing with postfix as well.

Debian 7.6, postfix 2.9.6-2, openssl 1.0.1e-2+deb7u11.
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

scanno

  • Newbie
  • *
  • Posts: 43
Re: Adding support for TLSv1.2
« Reply #23 on: August 04, 2014, 07:58:24 pm »
@Kostya
Sorry for the confusion. I am a bit stupid....
For my personal needs i am using a dedicated SSL port (so no need for STARTTLS). SSLv3 == TLS v1
When i am starting a TLS session on the standard smtp port with STARTTLS, i get a TLS 1.2 session:
Aug  4 17:49:28 micro postfix/smtpd[26396]: Anonymous TLS connection established from [cut] TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)

[EDIT]
I have specified a smtps group in my master.cf with smtpd_tls_wrappermode=yes .
I have not figured out yet if this means it is using SSLv3 or just assuming that a secure session should be set up without the need to use STARTTLS, but using TLS v1.2 if available

[EDIT 2]
Hmmm think that it should support TLS v1.2 also when using smtpd_tls_wrappermode=yes.
« Last Edit: August 04, 2014, 08:36:29 pm by scanno »

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12742
Re: Adding support for TLSv1.2
« Reply #24 on: August 04, 2014, 08:34:53 pm »
smtpd_tls_wrappermode=yes means negotiate encryption upon connect, without waiting for a protocol-specific STARTTLS command.

This is ports 993 (IMAP), 995 (POP3) and 465 (SMTP) -- of course we're talking about postfix here, so it's SMTP, but the principle applies.

This corresponds to "SSL" in AquaMail (as opposed to STARTTLS). I have tested this case and was getting TLSv1.2 in postfix's logs.
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

scanno

  • Newbie
  • *
  • Posts: 43
Re: Adding support for TLSv1.2
« Reply #25 on: August 04, 2014, 08:47:52 pm »
I know it should not matter. Perhaps the postfix session cache is messing my tests up a bit.


Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12742
Re: Adding support for TLSv1.2
« Reply #26 on: August 04, 2014, 08:58:09 pm »
@scanno -- that sounds like a very good guess!

Would also explain why I was getting "TLSv1" in some of my tests yesterday, and TLSv1.2 in all of them, today.
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12742
Re: Adding support for TLSv1.2
« Reply #27 on: August 04, 2014, 09:19:53 pm »
Yeah, it's the session cache alright -- but on Aqua's side.

Maybe postfix's cache needs to be flushed too, but on your Android device, delete all files inside /data/data/org.kman.AquaMail/app_sslcache.

After doing this, I'm getting "TLSv1.2, cipher TLS_DHE_RSA_WITH_AES_256_CBC_SHA" with Fastmail and Yandex.

Gmail's IMAP is still "TLSv1, cipher TLS_ECDHE_RSA_WITH_RC4_128_SHA", but SMTP is "TLSv1.2, cipher TLS_ECDHE_RSA_WITH_RC4_128_SHA"

PS - going to add some code to delete those files when "SSL hardening" is changed.
« Last Edit: August 04, 2014, 09:27:26 pm by Kostya Vasilyev, Aqua Mail »
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12742
Re: Adding support for TLSv1.2
« Reply #28 on: August 04, 2014, 10:04:27 pm »
Done.

http://www.aqua-mail.com/download/AquaMail-market-1.4.1-56-beta6.6.apk

You'll need to toggle "SSL hardening" off and back on (to clear those caches), and reboot the phone or kill Aqua's process.

With this, I'm seeing TLSv1.2 for Gmail's IMAP too.

Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

scanno

  • Newbie
  • *
  • Posts: 43
Re: Adding support for TLSv1.2
« Reply #29 on: August 04, 2014, 10:30:52 pm »
@Kostya
confirmed working.

Verstuurd vanaf mijn Nexus 10 met Tapatalk