Le 4 sept. 2019 à 21:35, Jean-Daniel via dovecot dovecot@dovecot.org a écrit :
Le 4 sept. 2019 à 20:11, Henrik Johansson via dovecot dovecot@dovecot.org a écrit :
Hi,
Have anyone else experienced problems using Dovecot with the mail app in beta releases of iOS/iPadOS 13?
TLS is failing for my, it have worked fine for years and I am on the latest Dovecot version now, it works fine with older clients but not with the ones upgraded:
Sep 04 19:49:16 imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization Sep 04 19:49:16 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization Sep 04 19:49:16 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A Sep 04 19:49:16 imap-login: Debug: SSL alert: where=0x4008, ret=552: fatal handshake failure Sep 04 19:49:16 imap-login: Debug: SSL: where=0x2002, ret=-1: error Sep 04 19:49:16 imap-login: Debug: SSL: where=0x2002, ret=-1: error Sep 04 19:49:16 imap-login: Debug: SSL error: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher Sep 04 19:49:16 imap-login: Debug: SSL: where=0x2002, ret=-1: error Sep 04 19:49:16 imap-login: Debug: SSL error: SSL_accept() failed: error:140800FF:SSL routines:ssl3_accept:unknown state Sep 04 19:49:16 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=11.22.33.44, lip=11.22.33.44, TLS handshaking: SSL_accept() failed: error:140800FF:SSL routines:ssl3_accept:unknown state, session=<lz7m2r2rjPouOvrk>
Working client:
Sep 04 19:57:58 imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization Sep 04 19:57:58 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization Sep 04 19:57:58 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A Sep 04 19:57:58 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A Sep 04 19:57:58 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A Sep 04 19:57:58 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client certificate A Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client key exchange A Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client key exchange A Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client key exchange A Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client key exchange A Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read certificate verify A Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read finished A Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read finished A Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write finished A Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data Sep 04 19:58:03 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully Sep 04 19:58:03 imap-login: Info: Login: user=<username>, method=LOGIN, rip=11.22.33.44, lip=11.22.33.44, mpid=28781, TLS, TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits), session=<LklR9r2Vtb4uOzra>
Config:
# egrep -v "^#|^$" 10-ssl.conf 10-auth.conf 10-ssl.conf:ssl = required 10-ssl.conf:ssl_cert =
# dovecot --version 2.3.7.2 (3c910f64b)
Just a wild guess as I didn’t try to configure Mail on Catalina yet, but it looks like your server only supports ‘DHE-RSA…’ ciphers. I think that modern systems prefers using ECDHE key exchange and would not be surprise if iOS requires it.
What version of OpenSSL are you using ?
An interesting note from the Apple documentation about what is considered a secured server:
• The link must support perfect forward secrecy (PFS) through Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) key exchange.
https://developer.apple.com/documentation/security/preventing_insecure_netwo... https://developer.apple.com/documentation/security/preventing_insecure_netwo...