Author Topic: SSL handshake terminated  (Read 12226 times)

mabahj

  • Newbie
  • *
  • Posts: 40
SSL handshake terminated
« on: September 09, 2015, 12:23:18 pm »
I've been getting an error message on one of my accounts for several months, including current version (1.5.9.13). It happens several times per day when communicating with the IMAP server (Dreamhost). This was not a problem earlier (many months ago, sorry that I cannot be more accurate). Refreshing multiple times often makes it pass again.

Code: [Select]
2015.09.09 11:10:57.661 +0200 [TASKS.7921] ***** ERROR: IOException caught in processTask for [org.kman.AquaMail.mail.smtp.SmtpTask_Send@34a21f3a, content://org.kman.AquaMail.data/accounts/1/out/102739184, org.kman.AquaMail.mail.MailAccount@a561fdf: id = 1, username = My Full Name, email = my email com, name = account name]
javax.net.ssl.SSLHandshakeException: Handshake failed
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:390)
at com.android.org.conscrypt.OpenSSLSocketImpl.waitForHandshake(OpenSSLSocketImpl.java:623)
at com.android.org.conscrypt.OpenSSLSocketImpl.getInputStream(OpenSSLSocketImpl.java:585)
at org.kman.AquaMail.net.MailSocketConnection.doConnectImpl(MailSocketConnection.java:165)
at org.kman.AquaMail.net.MailConnectionManager.acquire(MailConnectionManager.java:267)
at org.kman.AquaMail.net.MailConnectionManager.acquire(MailConnectionManager.java:158)
at org.kman.AquaMail.mail.smtp.SmtpTask_Send.ensureConnectLogin(SmtpTask_Send.java:548)
at org.kman.AquaMail.mail.smtp.SmtpTask_Send.process(SmtpTask_Send.java:193)
at org.kman.AquaMail.core.MailTaskBaseExecutor.execute(MailTaskBaseExecutor.java:76)
at org.kman.AquaMail.core.MailTaskQueueExecutor$MailTaskQueue.run(MailTaskQueueExecutor.java:610)
at java.lang.Thread.run(Thread.java:818)
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0xb9684b58: Failure in SSL library, usually a protocol error
error:1409443E:SSL routines:SSL3_READ_BYTES:tlsv1 alert inappropriate fallback (external/openssl/ssl/s3_pkt.c:1303 0xb93acfe8:0x00000003)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:318)
... 10 more

Last data:
kman10 UID EXPUNGE 15091
Result for kman10: 0 Expunge completed.
Caused by:
javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0xb9684b58: Failure in SSL library, usually a protocol error
error:1409443E:SSL routines:SSL3_READ_BYTES:tlsv1 alert inappropriate fallback (external/openssl/ssl/s3_pkt.c:1303 0xb93acfe8:0x00000003)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:318)
at com.android.org.conscrypt.OpenSSLSocketImpl.waitForHandshake(OpenSSLSocketImpl.java:623)
at com.android.org.conscrypt.OpenSSLSocketImpl.getInputStream(OpenSSLSocketImpl.java:585)
at org.kman.AquaMail.net.MailSocketConnection.doConnectImpl(MailSocketConnection.java:165)
at org.kman.AquaMail.net.MailConnectionManager.acquire(MailConnectionManager.java:267)
at org.kman.AquaMail.net.MailConnectionManager.acquire(MailConnectionManager.java:158)
at org.kman.AquaMail.mail.smtp.SmtpTask_Send.ensureConnectLogin(SmtpTask_Send.java:548)
at org.kman.AquaMail.mail.smtp.SmtpTask_Send.process(SmtpTask_Send.java:193)
at org.kman.AquaMail.core.MailTaskBaseExecutor.execute(MailTaskBaseExecutor.java:76)
at org.kman.AquaMail.core.MailTaskQueueExecutor$MailTaskQueue.run(MailTaskQueueExecutor.java:610)
at java.lang.Thread.run(Thread.java:818)

« Last Edit: September 22, 2015, 09:43:24 pm by mabahj »

mikeone

  • Hero Member
  • *****
  • Posts: 2762
Re: SSL handshake terminated
« Reply #1 on: September 09, 2015, 11:40:08 pm »
Hi, Kostya Vasilyev as the sole developer of AquaMail is on vacation until 17th September 2015. So, sorry for any inconvenience and thanks for your patience until then.
Regards
Mikeone

StR

  • Hero Member
  • *****
  • Posts: 1558
Re: SSL handshake terminated
« Reply #2 on: September 10, 2015, 12:39:20 am »
In the mean time, if you are desperate- maybe one of these would be helpful to you.
First, it looks like the errors show from the SMTP connection, not IMAP (at least the first one). And it is related to establishing an SSL connection.
I am not sure beyond that, but I am guessing that it might be due to a problem with the certificate(s) or because of the type of authentication protocol that might not be supported correctly. So, if I were in your situation, I'd try the following (one at a time):

Under the particular account settings:
1. Try to change "Accept any" instead of "Strict" in the SSL setting for the account.
(for SMTP and probably for IMAP, if you are also blaming IMAP)
2. Try playing with Authentication option, setting "SASL PLAIN" in SMTP settings ("Prefer compatibility" for IMAP) instead of "Choose automatically" (that's how it looks in the latest version available in Google play, but I believe it was called slightly differently, more technically in the previous versions.)

Under (general) Settings:
3. Try unchecking "SSL hardening" if it is checked.


PS. And just in case, - I assume you've read suggestions for the settings for Dreamhost:
General IMAP/SMTP settings:
https://discussion.dreamhost.com/thread-140590.html

Problems with the SSL verification (if that's the case, - (1) above might solve this issue)
http://wiki.dreamhost.com/Certificate_Domain_Mismatch_Error


Added: I forgot to mention that based on my understanding of the errors, I'd try #3 first. Then I'd try #2.
« Last Edit: September 10, 2015, 02:56:25 am by StR »

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: SSL handshake terminated
« Reply #3 on: September 16, 2015, 10:27:49 pm »
- This seems a better help page:

http://wiki.dreamhost.com/Email_Client_Configuration#Secure_outgoing_settings

- The issue is not cert validation, or self-signed certs

- I'd bet on "SSL hardening" being enabled in AquaMail settings -> network. Not all mail providers are using the modern ("more secure") ciphers.
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

mabahj

  • Newbie
  • *
  • Posts: 40
Re: SSL handshake terminated
« Reply #4 on: September 20, 2015, 08:34:00 pm »
Hello StR, mikeone and Kostya,

Thank you very much for your replies and apologies for my late follow-up.

The problem is not isolated to sending emails. It is also happening when receiving emails (IMAP). If I then hit refresh on that account multiple times, then it normally works again after 2-3-4 attempts. I see that the error message I posted refers to the SMTP error. At the bottom is an error message from IMAP.

Answers to the (appreciated) suggestions:
* I'm not using SSL hardening. I tried to enable it for some time but I still got errors. It is disabled and has been some weeks.
* I've tried (and still have enabled) "accept any" for SSL certificate, but it did not help. (Note that the error is not persistent)
* I've tried SASL PLAIN for authentication, did not help.
* Regarding the server name (Certificate Domain Mismatch Error), I'm already using the dreamhost mail server domain names, I needed to fix that to even get SSL.
* I also tried to toggle SSLv3 and restart, which was described in some other thread, although I don't know if that was the same error.


Relevant settings as I have them now:
* IMAP: SSL (accept any), port 993, Prefer compatability
* SMTP: SSL (accept any), port 465, SASL PLAIN
* Settings -> Network: SSL hardening not selected,  SSL validation selected.

Edit: I should also note, for what it's worth, that I don't see any errors like this in Thunderbird.

An IMAP error from today:
Code: [Select]
2015.09.20 10:29:03.993 +0200 [TASKS.3256] ***** ERROR: IOException caught in processTask for [org.kman.AquaMail.mail.imap.ImapTask_Sync@29548782, content://org.kman.AquaMail.data/accounts/1/ops/1442737743381, org.kman.AquaMail.mail.MailAccount@38bb352d: id = 1, username = My Full Name, email = my email address, name = Account name]
javax.net.ssl.SSLHandshakeException: Handshake failed
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:390)
at com.android.org.conscrypt.OpenSSLSocketImpl.waitForHandshake(OpenSSLSocketImpl.java:623)
at com.android.org.conscrypt.OpenSSLSocketImpl.getInputStream(OpenSSLSocketImpl.java:585)
at org.kman.AquaMail.net.MailSocketConnection.doConnectImpl(MailSocketConnection.java:165)
at org.kman.AquaMail.net.MailConnectionManager.acquire(MailConnectionManager.java:267)
at org.kman.AquaMail.net.MailConnectionManager.acquire(MailConnectionManager.java:152)
at org.kman.AquaMail.mail.imap.ImapTask_ConnectLogin.initConnection(ImapTask_ConnectLogin.java:192)
at org.kman.AquaMail.mail.imap.ImapTask_ConnectLogin.ensureConnectLogin(ImapTask_ConnectLogin.java:42)
at org.kman.AquaMail.mail.imap.ImapTask_Sync.process(ImapTask_Sync.java:116)
at org.kman.AquaMail.core.MailTaskBaseExecutor.execute(MailTaskBaseExecutor.java:76)
at org.kman.AquaMail.core.MailTaskQueueExecutor$MailTaskQueue.run(MailTaskQueueExecutor.java:610)
at java.lang.Thread.run(Thread.java:818)
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0xb85ba9d8: Failure in SSL library, usually a protocol error
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number (external/openssl/ssl/s3_pkt.c:345 0xac5e4c4d:0x00000000)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:318)
... 11 more 

« Last Edit: September 20, 2015, 08:51:39 pm by mabahj »

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: SSL handshake terminated
« Reply #5 on: September 21, 2015, 01:48:52 pm »
Re: thunderbird -- I would venture a guess that it's 1) not running on your Android phone and 2) not using same type of network connectivity (mobile data?)

Sorry, I don't know what I can do to help.

As I'm sure you realize, TCP/IP + SSL are implemented in Android system code, and my app just, you know, uses that stuff.

The error messages / stack traces are genuine (real), these handshake errors really are happening.

PS - it's nothing to with "accept all" or domain name mismatch -- the error has to with cipher / protocol negotiation, not certificate validation.
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

mabahj

  • Newbie
  • *
  • Posts: 40
Re: SSL handshake terminated
« Reply #6 on: September 22, 2015, 09:42:57 pm »
Hi,

I was not aware that TCP/IP + SSL was implemented in the Android system code. I just mentioned Thunderbird to show that other clients are able to communicate with my email server just fine.

But I do accept that this apparently is not something you can fix.

I'll try the stock email client when I get around to it, I guess it should fail as well.

mikeone

  • Hero Member
  • *****
  • Posts: 2762
Re: SSL handshake terminated
« Reply #7 on: September 22, 2015, 10:10:55 pm »
Hi,

I was not aware that TCP/IP + SSL was implemented in the Android system code. I just mentioned Thunderbird to show that other clients are able to communicate with my email server just fine.

But I do accept that this apparently is not something you can fix.

I'll try the stock email client when I get around to it, I guess it should fail as well.
Oh, really? Thunderbird? On a mobile device? With Android OS?

Sorry,  I'm just kidding  8) :)

To compare fair with "other clients" these applications should run on identical OS: Android / Android, iOS / iOS,  Windows / Windows,  Linux / Linux, ...
« Last Edit: September 22, 2015, 10:20:36 pm by mikeone »

mabahj

  • Newbie
  • *
  • Posts: 40
Re: SSL handshake terminated
« Reply #8 on: September 22, 2015, 10:39:14 pm »
Hi mikeone,

This is very off topic, but since this bug report seems finished - I think you are wrong. It is a valid failure analysis process to try another client (on any platform), because if that fails, then that strongly indicates that the problem is with the server, not the client(s). (This indication is actually stronger if the client is very different, in this case a completely different platform.) If the other client works, then it may indicate that the server is OK, or that the other client accepts (or hides) any problems the server may have. We don't know. I was only stating that this path was (although not very roughly) tested and the conclusion of that "test".

It is also very relevant that I did not know that the TCP/IP + SSL was implemented in the Android system code and that this error (I assume) was reported from there.

mikeone

  • Hero Member
  • *****
  • Posts: 2762
Re: SSL handshake terminated
« Reply #9 on: September 22, 2015, 10:55:02 pm »
Hi Mabahj,
I fully agree with your explanation.
 :)
Kind regards
Mikeone

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: SSL handshake terminated
« Reply #10 on: September 23, 2015, 02:34:57 pm »
So far, Kostya is ill and bedridden most of the day, barely having enough energy for the forum and email.
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

StR

  • Hero Member
  • *****
  • Posts: 1558
Re: SSL handshake terminated
« Reply #11 on: September 25, 2015, 05:32:36 am »
Get well soon!

mikeone

  • Hero Member
  • *****
  • Posts: 2762
Re: SSL handshake terminated
« Reply #12 on: September 25, 2015, 10:23:23 am »
😷💊💉🍲🍏💪
My best wishes for a speedy recovery.

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: SSL handshake terminated
« Reply #13 on: September 26, 2015, 09:45:00 pm »
Just "for posterity" --

Someone was having same "symptoms" recently, I mean SSL handshake errors.

Turns out -- he was running his own server, and had "server-forced cipher order" enabled (in Postfix, it it matters).

He had no issues in Thunderbird either.

Turning it off solved the errors on Android (in AquaMail).

http://www.postfix.org/postconf.5.html#tls_preempt_cipherlist

Code: [Select]
While server cipher selection may in some cases lead to a more secure or performant cipher choice, there is some risk of interoperability issues.
Don't know if Dreamhost (or whatever provider is being discussed here) could be doing the same, just a guess.

Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

mabahj

  • Newbie
  • *
  • Posts: 40
Re: SSL handshake terminated
« Reply #14 on: November 18, 2015, 11:35:44 pm »
Another one for posterity:

Don't know how the Dreamhost servers are set up. But I recently upgraded to a phone with Android 6 and have not seen the problem since. So I'm happy. Thanks for the effort.