"no shared cypher", no matter what I try

Aki Tuomi aki.tuomi at open-xchange.com
Tue Dec 11 12:01:55 EET 2018 

Hi!

You have misconfigured service imap-login, remove the 993 listener
config (it's there by default) or add ssl = yes to it.

Aki

On 11.12.2018 11.58, Marco Fioretti wrote:
> hello, and some update
> short version: the error is still there, but I have some more data to
> share, thanks in advance for further advice
>
> first, I am using Mutt 1.10.1 (2018-07-13) as mail client, so it is
> not an obsolete version.
> second... at the moment I can send email through postfix on the same
> server, with the
> same certificates (almost: I still have to fix some stuff, but is NOT
> related to SSL/TLS, e.g
> reverse DNS).
>
> However, running openssl as requested returns "no peer certificate
> available", and when
> I connect with mutt to dovecot I still get the "no shared cipher"
> error. These are the permissions
> on the certificate files:
>
> ls -l /etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem
> /etc/letsencrypt/archive/<MYSERVER>/privkey1.pem
> -r--------. 1 root root 3546 Dec  7 11:59
> /etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem
> -r--------. 1 root root 1704 Dec  7 11:59
> /etc/letsencrypt/archive/<MYSERVER>/privkey1.pem
>
> output of openssl, dovecot -n, its current SSL settings and excerpt of
> the log file are all below.
>
> openssl s_client -host MY.ACTUAL.HOSTNAME.HERE -port 993
> CONNECTED(00000003)
> 140141825717912:error:14077410:SSL
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
> failure:s23_clnt.c:769:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 7 bytes and written 305 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : 0000
>     Session-ID:
>     Session-ID-ctx:
>     Master-Key:
>     Key-Arg   : None
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     Start Time: 1544521696
>     Timeout   : 300 (sec)
>     Verify return code: 0 (ok)
> ---
>
> current SSL dovecot settings in conf.d/10-ssl.conf
>
> ssl = yes
>
> ssl_prefer_server_ciphers = yes
>
> ssl_dh_parameters_length = 2048
>
> sl_min_protocol = TLSv1.2
>
> ssl_cert = </etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem
> ssl_key =  </etc/letsencrypt/archive/<MYSERVER>/privkey1.pem
>
> ssl_cipher_list = ALL
>
> output of dovecot -n:
>
> # OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release
> 7.6.1810 (Core)  ext4
> # Hostname: SERVER NAME
> auth_debug = yes
> auth_mechanisms = plain login
> auth_verbose = yes
> auth_verbose_passwords = plain
> mail_location = maildir:/var/mail/mymail_storage/base/
> passdb {
>   args = /etc/imap.v_users
>   driver = passwd-file
> }
> service auth {
>   unix_listener /var/spool/postfix/private/auth {
>     group = postfix
>     mode = 0660
>     user = postfix
>   }
> }
> service imap-login {
>   inet_listener imap {
>     port = 0
>   }
>   inet_listener imaps {
>     port = 993
>   }
> }
> ssl = required
> userdb {
>   args = /etc/imap.v_users
>   driver = passwd-file
> }
> verbose_ssl = yes
>
>
>
>
>
> this is the error message I get by when I tried to connect with mutt:
>
>
> Dec 11 08:34:26 MYSERVER dovecot: master: Dovecot v2.2.36 (1f10bfa63)
> starting up for imap, pop3, lmtp (core dumps disabled)
> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x10,
> ret=1: before/accept initialization [my.home.ip.address]
> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
> where=0x2001, ret=1: before/accept initialization [my.home.ip.address]
> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
> where=0x2002, ret=-1: SSLv2/v3 read client hello A
> [my.home.ip.address]
> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Warning: SSL alert:
> where=0x4008, ret=552: fatal handshake failure [my.home.ip.address]
> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
> where=0x2002, ret=-1: error [my.home.ip.address]
> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
> where=0x2002, ret=-1: error [my.home.ip.address]
> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL error:
> SSL_accept() failed: error:1408A0C1:SSL
> routines:ssl3_get_client_hello:
> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Disconnected
> (disconnected before auth was ready, waited 0 secs): user=<>,
> rip=my.home.ip.address, lip=my.vps.ip.address, TLS hands
> haking: SSL_accept() failed: error:1408A0C1:SSL
> routines:ssl3_get_client_hello:no shared cipher,
> session=<H8roHLp86psvNZ88>
> Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Loading modules from
> directory: /usr/lib64/dovecot/auth
> Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded:
> /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
> Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded:
> /usr/lib64/dovecot/auth/libdriver_sqlite.so
> Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Read auth token secret
> from /var/run/dovecot/auth-token-secret.dat
> Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: passwd-file
> /etc/imap.v_users: Read 1 users in 0 secs

More information about the dovecot mailing list