TLS handshake failure - Client Helo rejected

Aki Tuomi aki.tuomi at open-xchange.com
Sun Oct 7 09:20:01 EEST 2018 

> On 07 October 2018 at 01:53 VB <vitbenes at centrum.cz> wrote:
> 
> 
> Hi,
> 
> I can no longer connect to Dovecot (IMAP). The connection is terminated 
> by Dovecot after Client Helo.
> 
> My server:
> Dovecot 2.3.3
> Debian buster/sid
> Architecture: ppc
> 
> My problems started in late August after upgrading Dovecot.
> 
> SSL settings:
> ssl_dh = </etc/ssl/dh2048.pem
> ssl_min_protocol = TLSv1.2
> ssl_cipher_list = 
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
> ssl_prefer_server_ciphers = yes
> 
> Client:
> OS Android 6.0.1
> Aquamail
> 
> Log from Dovecot:
> 
> Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL: where=0x10, 
> ret=1: before SSL initialization
> Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL: where=0x2001, 
> ret=1: before SSL initialization
> Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL: where=0x2002, 
> ret=-1: before SSL initialization
> Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL: where=0x2001, 
> ret=1: before SSL initialization
> Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL alert: 
> where=0x4008, ret=598: fatal unknown
> Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL: where=0x2002, 
> ret=-1: error
> Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL error: 
> SSL_accept() failed: error:14209175:SSL 
> routines:tls_early_post_process_client_hello:inappropriate fallback
> Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL error: 
> SSL_accept() syscall failed: Invalid argument
> Sep 15 23:19:02 debian2 dovecot: imap-login: Disconnected (no auth 
> attempts in 0 secs): user=<>, rip=XXX.XXX.XXX.XXX, 
> lip=XXX.XXX.XXX.XXX,TLS handshaking: SSL_accept() syscall failed: 
> Invalid argument, session=<XXXXXXXXXXX>
> 
> Log from client (Aquamail) is a bit longer (see attachment).
> 
> 
> I have also listened to the communication using Wireshark. The last 
> piece of communication is Client Helo. After the client sends Client 
> Helo, there is no reply from Dovecot and the server closes the 
> communication.
> 
> This is the Client Helo, in the "structured view" iin Wireshark:
> 
> |Secure Sockets Layer     TLSv1 Record Layer: Handshake Protocol: Client 
> Hello         Content Type: Handshake (22)         Version: TLS 1.0 
> (0x0301)         Length: 176         Handshake Protocol: Client Hello   
>            Handshake Type: Client Hello (1)             Length: 172     
>          Version: TLS 1.2 (0x0303)             Random: 
> 2b7af5ba92040f081a5a3621e9d9cbab2d50b829b7fe755f...             Session 
> ID Length: 0             Cipher Suites Length: 62             Cipher 
> Suites (31 suites)                 Cipher Suite: 
> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)                 Cipher 
> Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)                 
> Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)           
>        Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)   
>                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 
> (0x009f)                 Cipher Suite: 
> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)                 Cipher 
> Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)                 Cipher 
> Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)                 Cipher 
> Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)                 
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)               
>    Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)       
>            Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)   
>                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)   
>                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)       
>            Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) 
>                  Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 
> (0xc013)                 Cipher Suite: 
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)                 Cipher 
> Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)                 
> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)                 
> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)                 
> Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)               
>    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)               
>    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)           
>        Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)           
>        Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)             
>      Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)             
>      Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)                 
> Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)                 Cipher 
> Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)                 Cipher 
> Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)                 Cipher 
> Suite: TLS_FALLBACK_SCSV (0x5600)             Compression Methods 
> Length: 1             Compression Methods (1 method)             
> Extensions Length: 69             Extension: server_name (len=17)       
>        Extension: extended_master_secret (len=0)             Extension: 
> signature_algorithms (len=22)                 Type: signature_algorithms 
> (13)                 Length: 22                 Signature Hash 
> Algorithms Length: 20                 Signature Hash Algorithms (10 
> algorithms)                     Signature Algorithm: rsa_pkcs1_sha512 
> (0x0601)                     Signature Algorithm: ecdsa_secp521r1_sha512 
> (0x0603)                     Signature Algorithm: rsa_pkcs1_sha384 
> (0x0501)                     Signature Algorithm: ecdsa_secp384r1_sha384 
> (0x0503)                     Signature Algorithm: rsa_pkcs1_sha256 
> (0x0401)                     Signature Algorithm: ecdsa_secp256r1_sha256 
> (0x0403)                     Signature Algorithm: SHA224 RSA (0x0301)   
>                    Signature Algorithm: SHA224 ECDSA (0x0303)           
>            Signature Algorithm: rsa_pkcs1_sha1 (0x0201)                 
>      Signature Algorithm: ecdsa_sha1 (0x0203) |
> |What I tried: |
> 
>   * |change all possible settings in Dovecot (ssl_min_protocol,
>     ssl_cipher_list ...)|
>   * |change certificate I use|
> 
> |I also got in touch with the developer of Aquamail (see our discussion 
> here: https://www.aqua-mail.com/forum/index.php?topic=6824.0 ).|
> 
> |The developer was able to reproduce the handshake error. We believe 
> that the problem is that Dovecot rejects ClientHello as long as it is 
> wrapped in the TLSv1 Record Layer (see the second lilne in the Wireshark 
> log). According to the developer, Dovecot should accept Client Helo 
> wrapped in the TLSv1 Record Layer.|
> 
> |Thank you very much for your help. Best regards VB |
>

Hi!

Sep 15 23:19:02 debian2 dovecot: imap-login: Debug: SSL error: SSL_accept() failed: error:14209175:SSL routines:tls_early_post_process_client_hello:inappropriate fallback

It seems that the client has TLS_FALLBACK_SCSV cipher suite specified, which is causing the error.

See https://mta.openssl.org/pipermail/openssl-users/2017-June/005913.html

Aki

More information about the dovecot mailing list