"no shared cypher", no matter what I try

Aki Tuomi aki.tuomi at open-xchange.com
Tue Dec 11 12:57:12 EET 2018 

Ah, the actual problem appears to be that you are not including the
conf.d directory at all in your config, so you are ending up with no
certificate at all. This is handled better in 2.3.x.

Aki

On 11.12.2018 12.01, Aki Tuomi wrote:
> Hi!
>
> You have misconfigured service imap-login, remove the 993 listener
> config (it's there by default) or add ssl = yes to it.
>
> Aki
>
> On 11.12.2018 11.58, Marco Fioretti wrote:
>> hello, and some update
>> short version: the error is still there, but I have some more data to
>> share, thanks in advance for further advice
>>
>> first, I am using Mutt 1.10.1 (2018-07-13) as mail client, so it is
>> not an obsolete version.
>> second... at the moment I can send email through postfix on the same
>> server, with the
>> same certificates (almost: I still have to fix some stuff, but is NOT
>> related to SSL/TLS, e.g
>> reverse DNS).
>>
>> However, running openssl as requested returns "no peer certificate
>> available", and when
>> I connect with mutt to dovecot I still get the "no shared cipher"
>> error. These are the permissions
>> on the certificate files:
>>
>> ls -l /etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem
>> /etc/letsencrypt/archive/<MYSERVER>/privkey1.pem
>> -r--------. 1 root root 3546 Dec  7 11:59
>> /etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem
>> -r--------. 1 root root 1704 Dec  7 11:59
>> /etc/letsencrypt/archive/<MYSERVER>/privkey1.pem
>>
>> output of openssl, dovecot -n, its current SSL settings and excerpt of
>> the log file are all below.
>>
>> openssl s_client -host MY.ACTUAL.HOSTNAME.HERE -port 993
>> CONNECTED(00000003)
>> 140141825717912:error:14077410:SSL
>> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
>> failure:s23_clnt.c:769:
>> ---
>> no peer certificate available
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 7 bytes and written 305 bytes
>> ---
>> New, (NONE), Cipher is (NONE)
>> Secure Renegotiation IS NOT supported
>> Compression: NONE
>> Expansion: NONE
>> No ALPN negotiated
>> SSL-Session:
>>     Protocol  : TLSv1.2
>>     Cipher    : 0000
>>     Session-ID:
>>     Session-ID-ctx:
>>     Master-Key:
>>     Key-Arg   : None
>>     PSK identity: None
>>     PSK identity hint: None
>>     SRP username: None
>>     Start Time: 1544521696
>>     Timeout   : 300 (sec)
>>     Verify return code: 0 (ok)
>> ---
>>
>> current SSL dovecot settings in conf.d/10-ssl.conf
>>
>> ssl = yes
>>
>> ssl_prefer_server_ciphers = yes
>>
>> ssl_dh_parameters_length = 2048
>>
>> sl_min_protocol = TLSv1.2
>>
>> ssl_cert = </etc/letsencrypt/archive/<MYSERVER>/fullchain1.pem
>> ssl_key =  </etc/letsencrypt/archive/<MYSERVER>/privkey1.pem
>>
>> ssl_cipher_list = ALL
>>
>> output of dovecot -n:
>>
>> # OS: Linux 3.10.0-957.1.3.el7.x86_64 x86_64 CentOS Linux release
>> 7.6.1810 (Core)  ext4
>> # Hostname: SERVER NAME
>> auth_debug = yes
>> auth_mechanisms = plain login
>> auth_verbose = yes
>> auth_verbose_passwords = plain
>> mail_location = maildir:/var/mail/mymail_storage/base/
>> passdb {
>>   args = /etc/imap.v_users
>>   driver = passwd-file
>> }
>> service auth {
>>   unix_listener /var/spool/postfix/private/auth {
>>     group = postfix
>>     mode = 0660
>>     user = postfix
>>   }
>> }
>> service imap-login {
>>   inet_listener imap {
>>     port = 0
>>   }
>>   inet_listener imaps {
>>     port = 993
>>   }
>> }
>> ssl = required
>> userdb {
>>   args = /etc/imap.v_users
>>   driver = passwd-file
>> }
>> verbose_ssl = yes
>>
>>
>>
>>
>>
>> this is the error message I get by when I tried to connect with mutt:
>>
>>
>> Dec 11 08:34:26 MYSERVER dovecot: master: Dovecot v2.2.36 (1f10bfa63)
>> starting up for imap, pop3, lmtp (core dumps disabled)
>> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL: where=0x10,
>> ret=1: before/accept initialization [my.home.ip.address]
>> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
>> where=0x2001, ret=1: before/accept initialization [my.home.ip.address]
>> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
>> where=0x2002, ret=-1: SSLv2/v3 read client hello A
>> [my.home.ip.address]
>> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Warning: SSL alert:
>> where=0x4008, ret=552: fatal handshake failure [my.home.ip.address]
>> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
>> where=0x2002, ret=-1: error [my.home.ip.address]
>> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL:
>> where=0x2002, ret=-1: error [my.home.ip.address]
>> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Debug: SSL error:
>> SSL_accept() failed: error:1408A0C1:SSL
>> routines:ssl3_get_client_hello:
>> Dec 11 08:34:34 MYSERVER dovecot: imap-login: Disconnected
>> (disconnected before auth was ready, waited 0 secs): user=<>,
>> rip=my.home.ip.address, lip=my.vps.ip.address, TLS hands
>> haking: SSL_accept() failed: error:1408A0C1:SSL
>> routines:ssl3_get_client_hello:no shared cipher,
>> session=<H8roHLp86psvNZ88>
>> Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Loading modules from
>> directory: /usr/lib64/dovecot/auth
>> Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded:
>> /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
>> Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Module loaded:
>> /usr/lib64/dovecot/auth/libdriver_sqlite.so
>> Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: Read auth token secret
>> from /var/run/dovecot/auth-token-secret.dat
>> Dec 11 08:34:34 MYSERVER dovecot: auth: Debug: passwd-file
>> /etc/imap.v_users: Read 1 users in 0 secs

More information about the dovecot mailing list