"no shared cypher", no matter what I try

Marco Fioretti marco.fioretti at gmail.com
Tue Dec 11 11:58:42 EET 2018 

hello, and some update
short version: the error is still there, but I have some more data to
share, thanks in advance for further advice

first, I am using Mutt 1.10.1 (2018-07-13) as mail client, so it is
not an obsolete version.
second... at the moment I can send email through postfix on the same
server, with the
same certificates (almost: I still have to fix some stuff, but is NOT
related to SSL/TLS, e.g
reverse DNS).

However, running openssl as requested returns "no peer certificate
available", and when
I connect with mutt to dovecot I still get the "no shared cipher"
error. These are the permissions
on the certificate files:

ls -l /etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem
/etc/letsencrypt/archive/<MYSERVER>/privkey1.pem
-r--------. 1 root root 3546 Dec  7 11:59
/etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem
-r--------. 1 root root 1704 Dec  7 11:59
/etc/letsencrypt/archive/<MYSERVER>/privkey1.pem

output of openssl, dovecot -n, its current SSL settings and excerpt of
the log file are all below.

openssl s_client -host MY.ACTUAL.HOSTNAME.HERE -port 993
CONNECTED(00000003)
140141825717912:error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1544521696
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

current SSL dovecot settings in conf.d/10-ssl.conf

ssl = yes

ssl_prefer_server_ciphers = yes

ssl_dh_parameters_length = 2048

sl_min_protocol = TLSv1.2

ssl_cert = </etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem
ssl_key =  </etc/letsencrypt/archive/<MYSERVER>/privkey1.pem

ssl_cipher_list = ALL

output of dovecot -n:

# OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release
7.6.1810 (Core)  ext4
# Hostname: SERVER NAME
auth_debug = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = plain
mail_location = maildir:/var/mail/mymail_storage/base/
passdb {
  args = /etc/imap.v_users
  driver = passwd-file
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
}
service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 993
  }
}
ssl = required
userdb {
  args = /etc/imap.v_users
  driver = passwd-file
}
verbose_ssl = yes





this is the error message I get by when I tried to connect with mutt:


Dec 11 08:34:26 MYSERVER dovecot: master: Dovecot v2.2.36 (1f10bfa63)
starting up for imap, pop3, lmtp (core dumps disabled)
Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x10,
ret=1: before/accept initialization [my.home.ip.address]
Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
where=0x2001, ret=1: before/accept initialization [my.home.ip.address]
Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: SSLv2/v3 read client hello A
[my.home.ip.address]
Dec 11 08:34:34 MYSERVER dovecot: imap-login: Warning: SSL alert:
where=0x4008, ret=552: fatal handshake failure [my.home.ip.address]
Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: error [my.home.ip.address]
Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
where=0x2002, ret=-1: error [my.home.ip.address]
Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL error:
SSL_accept() failed: error:1408A0C1:SSL
routines:ssl3_get_client_hello:
Dec 11 08:34:34 MYSERVER dovecot: imap-login: Disconnected
(disconnected before auth was ready, waited 0 secs): user=<>,
rip=my.home.ip.address, lip=my.vps.ip.address, TLS hands
haking: SSL_accept() failed: error:1408A0C1:SSL
routines:ssl3_get_client_hello:no shared cipher,
session=<H8roHLp86psvNZ88>
Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Loading modules from
directory: /usr/lib64/dovecot/auth
Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded:
/usr/lib64/dovecot/auth/libdriver_sqlite.so
Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Read auth token secret
from /var/run/dovecot/auth-token-secret.dat
Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: passwd-file
/etc/imap.v_users: Read 1 users in 0 secs

More information about the dovecot mailing list