email app is unavailable to check for mails when SSLv3 is disabling

[Calle]

Hello,

sorry for posting in this old thread - but I have exactly the problem mentioned here.
My email provider changed the imap-server to dovecot and I cannot connect to it anymore with Aquamail V 1.6.1.5 and Android 4.4.2.

The errormessage is exactly the one given in posting #1.

I tried the network-settings about hardening ssl and blacklisting sslv3 with rebooting my device - without success.

This is dovecot-config:

# SSL protocols to use
ssl_protocols = !SSLv3 !SSLv2

# SSL ciphers to use
ssl_cipher_list = HIGH::!aNULL:!eNULL:!kRSA:!kPSK:!kSRP:!aDSS:!kECDH:!kDH:!MD5:!SHA1:!RC2:!RC4:!SEED:!IDEA:!DES:!3DES

# Prefer the server's order of ciphers over client's.
ssl_prefer_server_ciphers = yes


Btw: AquaMail under Android 6.0.1 and exactly the same config works fine.

Thanks for help,

Carsten

[Kostya Vasilyev]

AquaMail is the same on both, but the list of supported ciphers differs by Android version.

https://developer.android.com/reference/javax/net/ssl/SSLSocket.html

You may want to run "open ssl ciphers <your cipherspec here>" on the server to see the actual list.

Or maybe use nmap with ssl-enum-ciphers for same purpose.

And then maybe you can enable logging in AquaMail (see below) and cross-check the cipher list which gets enabled.

PS - you've got a redundant ":" after "HIGH".

PPS - I've got no issues with AquaMail on a 4.4 device, with Aqua's "SSL hardening" on or off, and with Aqua's "do not use SSLv3" on or off.

My Dovecot SSL config:

# SSL protocols to use
ssl_protocols = !SSLv2 !SSLv3

# SSL ciphers to use
#ssl_cipher_list = ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL
ssl_cipher_list = kRSA+AES:!LOW:!SSLv2:!EXP:!aNULL

# DH
ssl_dh_parameters_length = 2048

As you can see, my cipher list is really of the "tinfoil hat" variety (EC ciphers are not enabled).

[Kostya Vasilyev]

$ openssl ciphers 'HIGH:!aNULL:!eNULL:!kRSA:!kPSK:!kSRP:!aDSS:!kECDH:!kDH:!MD5:!SHA1:!RC2:!RC4:!SEED:!IDEA:!DES:!3DES' | tr ':' '\n'
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256

All your ciphers use SHA256 or SHA384.

And every cipher with SHA256 or SHA384 that I see here is API 20 or newer, which is 5.0.

https://developer.android.com/reference/javax/net/ssl/SSLSocket.html

Personally I'd go with kRSA+AES which would give you:

$ openssl ciphers 'kRSA+AES' | tr ':' '\n'
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA

GCM for 5.0+ (256 is really excessive though) and non-GCM AES-SHA for lower versions.

PS - please don't mistake me for a computer security expert

[Calle]

Hi Kostya,

thanks for your quick answer. I tried to get the informations you requested:

Output of nmap:

~ (calle@online) 508 > nmap --script ssl-enum-ciphers -p 143 shabang

Starting Nmap 7.12 (  ) at 2016-05-31 23:26 CEST
Nmap scan report for shabang (217.70.197.9)
Host is up (0.00047s latency).
rDNS record for 217.70.197.9: shabang.toppoint.de
PORT    STATE SERVICE
143/tcp open  imap
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp384r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp384r1) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp384r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp384r1) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|     warnings:
|       Key exchange parameters of lower strength than certificate key
|_  least strength: A

Output of AquaMail logging - while manually configure and test accout:

*
* New log file session: 2016.05.31 23:30:52.627 +0200
* Package: org.kman.AquaMail 1.6.1.5 (26000005)
* Process: pid 14366, elapsed CPU 4 seconds
* Build: samsung, serranoltexx, GT-I9195, ver. KOT49H.I9195XXUCOI4, rel. 4.4.2, fp. samsung/serranoltexx/serranolte:4.4.2/KOT49H/I9195XXUCOI4:user/release-keys
* Memory: Native heap size: 15615160 allocated / 228168 free, Runtime 16687104 total / 3826496 free / 100663296 max, 96 memory class
*
[...]

2016.05.31 23:31:17.077 +0200   [NETWRK.1044]   Connection to [imap.toppoint.de:143, tlsRelaxed] completed: imap.toppoint.de/217.70.197.9:143, time = 0.05 sec
2016.05.31 23:31:17.078 +0200   [NETWRK.1044]   Buffer sizes: 524288 send, 1048576 receive
2016.05.31 23:31:17.130 +0200   [IMAP_RAW.1044]   Data is <115>:
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready.

2016.05.31 23:31:17.141 +0200   [IMAP.1044]   Server greeting: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready.
2016.05.31 23:31:17.142 +0200   [IMAP.1044]   Server is Dovecot
2016.05.31 23:31:17.144 +0200   [IMAP.1044]   Sending: kman1 CAPABILITY
2016.05.31 23:31:17.190 +0200   [IMAP_RAW.1044]   Data is <171>:
* CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED
kman1 OK Pre-login capabilities listed, post-login capabilities have more.

2016.05.31 23:31:17.193 +0200   [IMAP_RAW.1044]   Line: * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED
2016.05.31 23:31:17.196 +0200   [IMAP.1044]   Pre-login capabilities: CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED
2016.05.31 23:31:17.198 +0200   [IMAP_RAW.1044]   Line: kman1 OK Pre-login capabilities listed, post-login capabilities have more.
2016.05.31 23:31:17.204 +0200   [IMAP.1044]   Result for kman1: 0 Pre-login capabilities listed, post-login capabilities have more., traffic: 171 read, 18 write
2016.05.31 23:31:17.205 +0200   [IMAP.1044]   Sending: kman2 STARTTLS
2016.05.31 23:31:17.264 +0200   [IMAP_RAW.1044]   Data is <37>:
kman2 OK Begin TLS negotiation now.

2016.05.31 23:31:17.265 +0200   [IMAP_RAW.1044]   Line: kman2 OK Begin TLS negotiation now.
2016.05.31 23:31:17.271 +0200   [IMAP.1044]   Result for kman2: 0 Begin TLS negotiation now., traffic: 37 read, 16 write
2016.05.31 23:31:17.272 +0200   [NETWRK.1044]   Request for startTls content://org.kman.AquaMail.data/accounts/10000/test/imap to [imap.toppoint.de:143, tlsRelaxed]
2016.05.31 23:31:17.273 +0200   [NETWRK.1044]   Using relaxed SSL/STARTTLS factory
2016.05.31 23:31:17.277 +0200   [NETWRK.1044]   Reconnecting to [imap.toppoint.de:143, tlsRelaxed]
2016.05.31 23:31:17.292 +0200   SSLHardening   Hardening reorder: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_DH_anon_WITH_RC4_128_MD5, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_256_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, TLS_ECDH_anon_WITH_RC4_128_SHA, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_AES_256_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_ECDH_anon_WITH_NULL_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_FALLBACK_SCSV], [TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_DH_anon_WITH_AES_256_GCM_SHA384, TLS_DH_anon_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_DH_anon_WITH_AES_256_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5], [SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
2016.05.31 23:31:17.303 +0200   SSLHardening   -> [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_DH_anon_WITH_RC4_128_MD5, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_256_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, TLS_ECDH_anon_WITH_RC4_128_SHA, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_AES_256_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_ECDH_anon_WITH_NULL_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_FALLBACK_SCSV]
2016.05.31 23:31:17.305 +0200   SSLHardening   Hardening reorder: [SSLv3, TLSv1, TLSv1.1, TLSv1.2], [TLSv1.2, TLSv1.1, TLSv1, SSLv3], [SSLv3]
2016.05.31 23:31:17.306 +0200   SSLHardening   -> [TLSv1.2, TLSv1.1, TLSv1]
2016.05.31 23:31:17.307 +0200   SSLHardening   Setting SSL ciphers: [TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_DH_anon_WITH_RC4_128_MD5, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_256_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, TLS_ECDH_anon_WITH_RC4_128_SHA, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_AES_256_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_ECDH_anon_WITH_NULL_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_FALLBACK_SCSV]
2016.05.31 23:31:17.309 +0200   SSLHardening   Setting SSL protocols: [TLSv1.2, TLSv1.1, TLSv1]
2016.05.31 23:31:17.371 +0200   [NETWRK.1044]   Closing socket SSL socket over Socket[address=imap.toppoint.de/217.70.197.9,port=143,localPort=42295]
2016.05.31 23:31:17.391 +0200   [NETWRK.1044]   ***** ERROR: Unable to reconnect to [imap.toppoint.de:143, tlsRelaxed]
javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x646020f8: Failure in SSL library, usually a protocol error
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:744 0x5f8b27e8:0x00000000)
   at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:449)
   at com.android.org.conscrypt.OpenSSLSocketImpl$SSLInputStream.<init>(OpenSSLSocketImpl.java:662)
   at com.android.org.conscrypt.OpenSSLSocketImpl.getInputStream(OpenSSLSocketImpl.java:633)
   at org.kman.AquaMail.net.MailSocketConnection.doReconnectImpl(MailSocketConnection.java:276)
   at org.kman.AquaMail.net.MailConnectionManager.startTls(MailConnectionManager.java:334)
   at org.kman.AquaMail.mail.imap.ImapTask.ensureStartTLS(ImapTask.java:72)
   at org.kman.AquaMail.mail.imap.ImapTask_CheckAccount.process(ImapTask_CheckAccount.java:124)
   at org.kman.AquaMail.core.MailTaskBaseExecutor.execute(MailTaskBaseExecutor.java:76)
   at org.kman.AquaMail.core.MailTaskQueueExecutor$MailTaskQueue.run(MailTaskQueueExecutor.java:620)
   at java.lang.Thread.run(Thread.java:841)
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x646020f8: Failure in SSL library, usually a protocol error
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:744 0x5f8b27e8:0x00000000)
   at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
   at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:406)
   ... 9 more

I had to shorten log - if you miss important lines, I can send you an email.

Carsten.

[Kostya Vasilyev]

Carsten,

Since I know there is nothing wrong with the app I won't be doing *all* the work for you.

But I did post a theory above (about SHA256) and it's consistent with your nmap output.

To complete this line of thought, please open the SSLSocket documentation and try to find any cipher with SHA256 or SHA384 which has "supported" lower than 20+ (API level 20 is Android 5.0). You won't be able to, there are none (unless I'm blind).

Or you can work it in reverse:

The actual list of ciphers enabled by AquaMail on the socket is under "Setting SSL ciphers", you won't find any of your ciphers there.

Or yet another way:

Look at the log under "Hardening reorder", it's a bit hard to pick apart, but it goes like this:

"Hardening reorder: [list of ciphers supported by the device], [the list of all ciphers known to AquaMail in hardening order], [blacklisted ciphers]"

You will see that none of your server ciphers appear on the supported list.

[Calle]

Hi Kostya,

sorry for wasting your time  .

I'm more or less a computer security newbie - never heard about ssl-ciphers before.
With your help I managed to get some information about this. I asked my email-provider to enable some more ciphers in dovecot. I'll let you know if it works.

Many thanks for your answers.

Carsten.

[Kostya Vasilyev]

Carsten,

Wasn't a total waste of time, and I'm glad you learned something too.

Yes, the ciphers are "too modern", all of them are only supported starting with 5.0.