TLS not working with iOS beta?

Henrik Johansson henrikj at henkis.net
Wed Sep 4 21:11:04 EEST 2019


Hi,

Have anyone else experienced problems using Dovecot with the mail app in beta releases of iOS/iPadOS 13?

TLS is failing for my, it have worked fine for years and I am on the latest Dovecot version now, it works fine with older clients but not with the ones upgraded:

Sep 04 19:49:16 imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization
Sep 04 19:49:16 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization
Sep 04 19:49:16 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A
Sep 04 19:49:16 imap-login: Debug: SSL alert: where=0x4008, ret=552: fatal handshake failure
Sep 04 19:49:16 imap-login: Debug: SSL: where=0x2002, ret=-1: error
Sep 04 19:49:16 imap-login: Debug: SSL: where=0x2002, ret=-1: error
Sep 04 19:49:16 imap-login: Debug: SSL error: SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
Sep 04 19:49:16 imap-login: Debug: SSL: where=0x2002, ret=-1: error
Sep 04 19:49:16 imap-login: Debug: SSL error: SSL_accept() failed: error:140800FF:SSL routines:ssl3_accept:unknown state
Sep 04 19:49:16 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=11.22.33.44, lip=11.22.33.44, TLS handshaking: SSL_accept() failed: error:140800FF:SSL routines:ssl3_accept:unknown state, session=<lz7m2r2rjPouOvrk>

Working client:

Sep 04 19:57:58 imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization
Sep 04 19:57:58 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization
Sep 04 19:57:58 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A
Sep 04 19:57:58 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client hello A
Sep 04 19:57:58 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server hello A
Sep 04 19:57:58 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write certificate A
Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key exchange A
Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write server done A
Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data
Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client certificate A
Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client key exchange A
Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client key exchange A
Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client key exchange A
Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read client key exchange A
Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read client key exchange A
Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read certificate verify A
Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read finished A
Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read finished A
Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write change cipher spec A
Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write finished A
Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data
Sep 04 19:58:03 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully
Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully
Sep 04 19:58:03 imap-login: Info: Login: user=<username>, method=LOGIN, rip=11.22.33.44, lip=11.22.33.44, mpid=28781, TLS, TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits), session=<LklR9r2Vtb4uOzra>


Config:

# egrep -v "^#|^$" 10-ssl.conf 10-auth.conf
10-ssl.conf:ssl = required
10-ssl.conf:ssl_cert = </path/to/fullchain.pem
10-ssl.conf:ssl_key = </path/to/privkey.pem
10-ssl.conf:ssl_dh = </path/to/dh.pem
10-ssl.conf:ssl_min_protocol = TLSv1.1
10-ssl.conf:ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW at STRENGTH
10-auth.conf:disable_plaintext_auth = yes
10-auth.conf:auth_mechanisms = login
10-auth.conf:!include auth-system.conf.ext

# dovecot --version
2.3.7.2 (3c910f64b)

Anyone seeing something similar and/or have suggestions on how to proceed?

Regards
Henrik


More information about the dovecot mailing list