Author Topic: TLS handshake failure  (Read 23247 times)

5huhulalu

  • Newbie
  • *
  • Posts: 16
TLS handshake failure
« on: September 16, 2018, 01:18:46 am »
Dear Kosta,
I can not connect to my IMAP mailserver. My mailserver is dovecot. I had no problems in the past, but after the recent update of dovecot, I can no longer connect. I suspect that Aquamail tries to downgrade the TLS cipher and Dovecot no longer accepts this strategy.

I have no problems with other email clients (Mozilla Thunderbird)


I tried to change Dovecot settings (disable the ssl_cipher_list  etc.) but the problem still remains.

Logs from Dovecot and from Aquamail are in the attachments.


Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: TLS handshake failure
« Reply #1 on: September 18, 2018, 10:55:06 pm »
SSL code is in Android not in our app.

The error has to be on your side.

This is the cipher list that we "ask" Android to use (the beginning of the list).

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Hope this helps.
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: TLS handshake failure
« Reply #2 on: September 18, 2018, 10:56:44 pm »
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

5huhulalu

  • Newbie
  • *
  • Posts: 16
Re: TLS handshake failure
« Reply #3 on: September 19, 2018, 10:39:33 pm »
Dear Kostya,
thanks a lot for your answer!


5huhulalu

  • Newbie
  • *
  • Posts: 16
Re: TLS handshake failure
« Reply #4 on: September 21, 2018, 02:45:53 am »
Dear Kostya,
sorry to bother you again. I did few tests:

I installed K-9 mail. I had no problems connecting to Dovecot using cipher ECDHE-ECDSA-AES256-GCM-SHA384. This is third cipher on your list...

I did some tcpdump using Wireshark iin order to compare your Hello and Hello from K-9.

This is Hello from K-9  (decoded by Wireshark, in the "tree structture"):

Code: [Select] [nofollow]
Secure Sockets Layer
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 148
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 144
            Version: TLS 1.2 (0x0303)
            Random: e05e8398a8ad4d0741de24217fb54a673a5fd0abee1e23dd...
            Session ID Length: 0
            Cipher Suites Length: 34
            Cipher Suites (17 suites)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
                Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: 69
            Extension: server_name (len=17)
            Extension: extended_master_secret (len=0)
            Extension: signature_algorithms (len=22)
                Type: signature_algorithms (13)
                Length: 22
                Signature Hash Algorithms Length: 20
                Signature Hash Algorithms (10 algorithms)
                    Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                    Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
                    Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                    Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                    Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                    Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                    Signature Algorithm: SHA224 RSA (0x0301)
                    Signature Algorithm: SHA224 ECDSA (0x0303)
                    Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
                    Signature Algorithm: ecdsa_sha1 (0x0203)

After Hello from K-9 (Client Hello), Dovecot continues with the communication (Server Hello, followed by certificate, key exchange etc.) and everything is OK.

And this is your Hello:

Code: [Select] [nofollow]
Secure Sockets Layer
    TLSv1 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 176
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 172
            Version: TLS 1.2 (0x0303)
            Random: 2b7af5ba92040f081a5a3621e9d9cbab2d50b829b7fe755f...
            Session ID Length: 0
            Cipher Suites Length: 62
            Cipher Suites (31 suites)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
                Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
                Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
                Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
                Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
                Cipher Suite: TLS_FALLBACK_SCSV (0x5600)
            Compression Methods Length: 1
            Compression Methods (1 method)
            Extensions Length: 69
            Extension: server_name (len=17)
            Extension: extended_master_secret (len=0)
            Extension: signature_algorithms (len=22)
                Type: signature_algorithms (13)
                Length: 22
                Signature Hash Algorithms Length: 20
                Signature Hash Algorithms (10 algorithms)
                    Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                    Signature Algorithm: ecdsa_secp521r1_sha512 (0x0603)
                    Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                    Signature Algorithm: ecdsa_secp384r1_sha384 (0x0503)
                    Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                    Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                    Signature Algorithm: SHA224 RSA (0x0301)
                    Signature Algorithm: SHA224 ECDSA (0x0303)
                    Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
                    Signature Algorithm: ecdsa_sha1 (0x0203)

After Client Hello from Aquamail, communication is interrupted by the server and there is no response from the server.

As you can see, Client Hello from K-9 and Aquamail are very simmilar. The cipher list is very similar.

The only difference is this: K-9 sends its Client Hello over "TLSv1.2 Record Layer" but Aquamail sends the Client Hello over "TLSv1 Record Layer". This is also indicated in the "protocol" column in Wireshark. Client Hello by K-9 is sent over TLSv1.2 protocol (also the server sends all its communication over TLSv1.2) but the column "protocol" for Client Hello from Aquamail says TLSv1 protocol.

Thanks a lot.

P.S. I forgot to mention that I have Android 6.0.1 so the bug in 7.0 probably does not affect me.

« Last Edit: September 21, 2018, 02:47:27 am by 5huhulalu »

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: TLS handshake failure
« Reply #5 on: September 23, 2018, 02:48:17 pm »
Re: The only difference is this: K-9 sends its Client Hello over "TLSv1.2 Record Layer" but Aquamail sends the Client Hello over "TLSv1 Record Layer". This is also indicated in the "protocol" column in Wireshark.

I can't doubt your findings from WireShark etc, but - *we* don't send "client hello", Android's networking code does.

We just use a Java class called SSLSocket and we set options for protocols and ciphers.

Regarding TLS 1.2 vs. 1.0, this is Aqua connecting to Gmail (just an example):

protocol TLSv1.2, cipher TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

( this is actual protocol from *after* the connection is established )

This is Fastmail:

protocol TLSv1.2, cipher TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

This is Yandex:

protocol TLSv1.2, cipher TLS_RSA_WITH_AES_128_GCM_SHA256

This is Office 365 (EWS over https):

protocol TLSv1.2, cipher TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: TLS handshake failure
« Reply #6 on: September 23, 2018, 03:06:12 pm »
Description:   Debian GNU/Linux 9.5 (stretch)
Release:   9.5

ii  dovecot-imapd            1:2.2.27-3+deb9u2 amd64             secure POP3/IMAP server - IMAP daemon

---

Test 1

10-ssl.conf

# SSL protocols to use
ssl_protocols = !SSLv3

# SSL ciphers to use
ssl_cipher_list = kRSA+AES:!LOW:!SSLv2:!EXP:!aNULL

# DH
ssl_dh_parameters_length = 2048

Aqua Mail connecting:

protocol TLSv1.2, cipher TLS_RSA_WITH_AES_128_GCM_SHA256

---

Test 2

# SSL protocols to use
ssl_protocols = !SSLv3

# SSL ciphers to use
ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384

# DH
ssl_dh_parameters_length = 2048

Handshake errors, yes reproduced.

----

However:

https://security.stackexchange.com/questions/29314

Quote
Appendix E.1. (Compatibility with TLS 1.0/1.1 and SSL 3.0) from the TLS 1.2 RFC says:

Earlier versions of the TLS specification were not fully clear on
what the record layer version number (TLSPlaintext.version) should
contain when sending ClientHello (i.e., before it is known which
version of the protocol will be employed).  Thus, TLS servers
compliant with this specification MUST accept any value {03,XX} as
the record layer version number for ClientHello.

Note the "MUST".

Quote
The ClientHello from the client is sent wrapped into one or several records, and each record contains the protocol version as well. The records are like the envelopes around letters. It is safe to use version 0x0300 (SSLv3) for these records, regardless of the maximum supported version indicated in the ClientHello; that's like sending a letter in an SSLv3 envelope, but the letter says "by the way, I also support TLS 1.0 and TLS 1.1". Using SSLv3 records maximizes interoperability with old and buggy implementations who know only of SSLv3 and would reject records with a higher version.

I assume the "envelope" here is exactly the "TLSv1.2 Record Layer" in your wire dump.

« Last Edit: September 23, 2018, 03:08:49 pm by Kostya Vasilyev, Aqua Mail »
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: TLS handshake failure
« Reply #7 on: September 23, 2018, 03:39:46 pm »
Follow up.

The "envelope"'s TLS version comes from Android code.


I just checked K9's SSL code it's here:

https://github.com/k9mail/k-9/blob/master/mail/common/src/main/java/com/fsck/k9/mail/ssl/DefaultTrustedSocketFactory.java

Ours is just like that, it's boilerplate:

         SSLContext sslContext = SSLContext.getInstance("TLS");
         sslContext.init(null, null, null);
         return sslContext.getSocketFactory();

I don't see anything in K9 code that would force "envelope" to TLS 1.2.

Do you?

And then - is that even the right thing to do?

- It would prevent connecting to TLS 1.0 - 1.1 servers (a purist view is - those should not be used anymore by anyone, but this wouldn't work that well "in the real world").

- And then what I posted above - about how the envelope TLS version can be lower and the other side (server) MUST accept it even when clientHello is TLS 1.2 - indicates that there is a bug somewhere and I don't think it's us.
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: TLS handshake failure
« Reply #8 on: September 23, 2018, 04:26:29 pm »
BTW when using

# SSL protocols to use
ssl_protocols = !SSLv3

# SSL ciphers to use
ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384

or

# SSL protocols to use
ssl_protocols = TLSv1.2

# SSL ciphers to use
ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384


this fails to detect any SSL protocols or ciphers:

$ nmap --script ssl-cert,ssl-enum-ciphers -p 993 aqua-mail.com

Starting Nmap 7.60 ( https://nmap.org ) at 2018-09-23 16:19 MSK
Nmap scan report for aqua-mail.com (176.58.105.125)
Host is up (0.047s latency).

PORT    STATE SERVICE
993/tcp open  imaps

Nmap done: 1 IP address (1 host up) scanned in 30.22 seconds


and this fails too:

$ openssl s_client -tls1_2 -crlf -connect aqua-mail.com:993
CONNECTED(00000003)
139871317656000:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1399:SSL alert number 40

and even this fails:

$ openssl s_client -tls1_2 -cipher ECDHE-ECDSA-AES256-GCM-SHA384 -crlf -connect aqua-mail.com:993
CONNECTED(00000003)
140257266016704:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1399:SSL alert number 40

Quite curious.
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: TLS handshake failure
« Reply #9 on: September 23, 2018, 05:04:24 pm »
Speaking of K9 Mail.

Installed from Play.

Server config:

# SSL protocols to use
ssl_protocols = TLSv1.2

# SSL ciphers to use
ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384


K9 gives account setup error, also SSL handshake:

09-23 17:02:04.581 E/AccountSetupCheckSettin( 5788): Error while testing settings
09-23 17:02:04.581 E/AccountSetupCheckSettin( 5788): com.fsck.k9.mail.MessagingException: Unable to connect
09-23 17:02:04.581 E/AccountSetupCheckSettin( 5788):    at com.fsck.k9.mail.store.imap.ImapStore.checkSettings(ImapStore.java:317)
09-23 17:02:04.581 E/AccountSetupCheckSettin( 5788):    at com.fsck.k9.activity.setup.AccountSetupCheckSettings$CheckAccountTask.checkIncoming(AccountSetupCheckSettings.java:497)
09-23 17:02:04.581 E/AccountSetupCheckSettin( 5788):    at com.fsck.k9.activity.setup.AccountSetupCheckSettings$CheckAccountTask.checkServerSettings(AccountSetupCheckSettings.java:467)
09-23 17:02:04.581 E/AccountSetupCheckSettin( 5788):    at com.fsck.k9.activity.setup.AccountSetupCheckSettings$CheckAccountTask.doInBackground(AccountSetupCheckSettings.java:424)
09-23 17:02:04.581 E/AccountSetupCheckSettin( 5788):    at com.fsck.k9.activity.setup.AccountSetupCheckSettings$CheckAccountTask.doInBackground(AccountSetupCheckSettings.java:402)
09-23 17:02:04.581 E/AccountSetupCheckSettin( 5788):    at android.os.AsyncTask$2.call(AsyncTask.java:333)
09-23 17:02:04.581 E/AccountSetupCheckSettin( 5788):    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
09-23 17:02:04.581 E/AccountSetupCheckSettin( 5788):    at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:245)
09-23 17:02:04.581 E/AccountSetupCheckSettin( 5788):    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1162)
09-23 17:02:04.581 E/AccountSetupCheckSettin( 5788):    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:636)
09-23 17:02:04.581 E/AccountSetupCheckSettin( 5788):    at java.lang.Thread.run(Thread.java:764)
09-23 17:02:04.581 E/AccountSetupCheckSettin( 5788): Caused by: javax.net.ssl.SSLHandshakeException: Handshake failed
09-23 17:02:04.581 E/AccountSetupCheckSettin( 5788):    at com.fsck.k9.mail.store.imap.ImapConnection.open(ImapConnection.java:135)
09-23 17:02:04.581 E/AccountSetupCheckSettin( 5788):    at com.fsck.k9.mail.store.imap.ImapStore.checkSettings(ImapStore.java:313)
09-23 17:02:04.581 E/AccountSetupCheckSettin( 5788):    ... 10 more
09-23 17:02:04.581 E/AccountSetupCheckSettin( 5788): Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x7016099c00: Failure in SSL library, usually a protocol error
09-23 17:02:04.581 E/AccountSetupCheckSettin( 5788): error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE (external/boringssl/src/ssl/tls_record.c:522 0x701601a680:0x00000001)
09-23 17:02:04.581 E/AccountSetupCheckSettin( 5788): error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO (external/boringssl/src/ssl/handshake_client.c:889 0x7014732126:0x00000000)
09-23 17:02:04.581 E/AccountSetupCheckSettin( 5788):    at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
09-23 17:02:04.581 E/AccountSetupCheckSettin( 5788):    ... 15 more


Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

5huhulalu

  • Newbie
  • *
  • Posts: 16
Re: TLS handshake failure
« Reply #10 on: September 24, 2018, 01:59:26 am »
Hi,
I am just advanced user, I have no programming skills. So it is difficult for me to find the source of the bug...

But it really seems that there is something wrong with Dovecot itself.

Good to know that you have reproduced the error.

Thanks a lot!

I wil send some bug report to Dovecot when I have more time.

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: TLS handshake failure
« Reply #11 on: September 25, 2018, 12:28:38 pm »
Well what are your ssl_protocols and ssl_cipher_list (and any other ssl related settings) in Dovecot config?

And Dovecot and OpenSSL version on the server?

Based on my tests above, I'm guessing you've set ssl_protocols to TLSv1.2.

Setting it to "!SSLv3" or maybe "TLSv1, TLSv1.1, TLSv1.2" should make things work - and TLS 1.2 capable apps (such as Aqua) will still prefer TLS 1.2.

BTW - on Android 7.0 we also enable / prefer CHACHA20_POLY1305 which is secure and fast on mobile devices.
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: TLS handshake failure
« Reply #12 on: September 25, 2018, 07:30:19 pm »
This works for me - in Aqua Mail and also using "openssl" and "nmap" to test:

# SSL protocols to use
ssl_protocols = !SSLv3

# SSL ciphers to use
ssl_cipher_list = AESGCM


nmap --script ssl-cert,ssl-enum-ciphers

| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp384r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp384r1) - A
|       TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: client
|_  least strength: A


Note that your "favorite" cipher ECDHE-ECDSA-AES256-GCM-SHA384 is not enabled.

It is listed if use identical cipher spec with "openssl ciphers", it's in first place:

openssl ciphers AESGCM | tr ':' '\n'
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
DHE-DSS-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
ADH-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
DHE-DSS-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
ADH-AES128-GCM-SHA256
RSA-PSK-AES256-GCM-SHA384
DHE-PSK-AES256-GCM-SHA384
AES256-GCM-SHA384
PSK-AES256-GCM-SHA384
RSA-PSK-AES128-GCM-SHA256
DHE-PSK-AES128-GCM-SHA256
AES128-GCM-SHA256
PSK-AES128-GCM-SHA256


I *think* this has to do with server's certificate key being RSA.

Dovecot 2.3.31 has a mechanism where you can have multiple certificates (and keys) and they're picked based on ciphers (if I'm reading the docs correctly).

https://wiki.dovecot.org/SSL/DovecotConfiguration

---

Also note that only TLS 1.2 is enabled - because ciphers matching "AESGCM" are all specific to TLS 1.2.
« Last Edit: September 25, 2018, 07:31:53 pm by Kostya Vasilyev, Aqua Mail »
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/

5huhulalu

  • Newbie
  • *
  • Posts: 16
Re: TLS handshake failure
« Reply #13 on: September 27, 2018, 11:45:18 pm »
Hi,

I have Dovecot 2.3.2.1

Openssl 1.1.1

ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

This is ecommended cipher list from https://wiki.mozilla.org/Security/Server_Side_TLS [nofollow]. I also tried
ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384
because I wanted K-9 and Aquamail to use the same cipher so that I can compare their behaviour.

Other settings:

ssl_min_protocol = TLSv1.2

ssl_prefer_server_ciphers = yes

My server's certificate key is ECDSA (ECC).

ssl_protocols has been replaced by ssl_min_protocol in Dovecot 2.3

I have tried

ssl_min_protocol = TLSv1
ssl_cipher_list = AESGCM

and

ssl_protocols = !SSLv3
ssl_cipher_list = AESGCM
(with warnings that ssl_protocols is obsolete)


nmap --script ssl-cert,ssl-enum-ciphers

Code: [Select] [nofollow]
Host is up (0.020s latency).

PORT    STATE    SERVICE
143/tcp filtered imap

Nmap done: 1 IP address (1 host up) scanned in 2.26 seconds

 :(

Your workaround does not work for me. Which Dovecot version do you use?

EDIT

I have noticed that you have Dovecot 2.2.27. Could you please upgrade to 2.3? I have used Dovecot + Aquamail without any problems for years. But my problems started after upgrading Dovecot. I "think" that earlier versions of Dovecot (2.2) somehow avoided the problematic ciphers (ECDHE-ECDSA-AES256-GCM-SHA384 ??). But Dovecot 2.3.1 does not work at all.
« Last Edit: September 28, 2018, 12:47:34 am by 5huhulalu »

Kostya Vasilyev

  • Hero Member
  • *****
  • Posts: 12740
Re: TLS handshake failure
« Reply #14 on: September 28, 2018, 10:27:22 pm »
My system info is this:

Description:   Debian GNU/Linux 9.5 (stretch)
Release:   9.5

ii  dovecot-imapd            1:2.2.27-3+deb9u2 amd64             secure POP3/IMAP server - IMAP daemon


I think maybe it's this?

Quote
My server's certificate key is ECDSA (ECC).

What did you do for "certificate key is ECDSA" ??? Any explicit setting?

When I run openssl s_client -crlf -connect aqua-mail.com:993 I see this among other output:

Peer signing digest: SHA512
Server Temp Key: ECDH, P-384, 384 bits

---

I think for your server, nmap should still be able to find "some" TLS protocols / ciphers, but it's not finding any.

Does this work at all? Do you actually get encryption?


openssl s_client -crlf -connect servername:993



---

Finally, sorry, I am not able to upgrade to Dovecot 2.3 because the server runs Debian 9.5 "stretch" and the latest Dovecot there (in "backports") is 2.2.34:

https://packages.debian.org/stretch-backports/dovecot-imapd
Creating debug logs for diagnostics: https://www.aqua-mail.com/troubleshooting/

The official FAQ: https://www.aqua-mail.com/faq/

Лог-файлы для диагностики: https://www.aqua-mail.com/ru/troubleshooting/

Вопросы и ответы: https://www.aqua-mail.com/ru/faq/