> Le 4 sept. 2019 à 21:35, Jean-Daniel via dovecot <[email protected]> a
> écrit :
>
>>
>> Le 4 sept. 2019 à 20:11, Henrik Johansson via dovecot <[email protected]>
>> a écrit :
>>
>> Hi,
>>
>> Have anyone else experienced problems using Dovecot with the mail app in
>> beta releases of iOS/iPadOS 13?
>>
>> TLS is failing for my, it have worked fine for years and I am on the latest
>> Dovecot version now, it works fine with older clients but not with the ones
>> upgraded:
>>
>> Sep 04 19:49:16 imap-login: Debug: SSL: where=0x10, ret=1: before/accept
>> initialization
>> Sep 04 19:49:16 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept
>> initialization
>> Sep 04 19:49:16 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read
>> client hello A
>> Sep 04 19:49:16 imap-login: Debug: SSL alert: where=0x4008, ret=552: fatal
>> handshake failure
>> Sep 04 19:49:16 imap-login: Debug: SSL: where=0x2002, ret=-1: error
>> Sep 04 19:49:16 imap-login: Debug: SSL: where=0x2002, ret=-1: error
>> Sep 04 19:49:16 imap-login: Debug: SSL error: SSL_accept() failed:
>> error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
>> Sep 04 19:49:16 imap-login: Debug: SSL: where=0x2002, ret=-1: error
>> Sep 04 19:49:16 imap-login: Debug: SSL error: SSL_accept() failed:
>> error:140800FF:SSL routines:ssl3_accept:unknown state
>> Sep 04 19:49:16 imap-login: Info: Disconnected (no auth attempts in 0 secs):
>> user=<>, rip=11.22.33.44, lip=11.22.33.44, TLS handshaking: SSL_accept()
>> failed: error:140800FF:SSL routines:ssl3_accept:unknown state,
>> session=<lz7m2r2rjPouOvrk>
>>
>> Working client:
>>
>> Sep 04 19:57:58 imap-login: Debug: SSL: where=0x10, ret=1: before/accept
>> initialization
>> Sep 04 19:57:58 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept
>> initialization
>> Sep 04 19:57:58 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read
>> client hello A
>> Sep 04 19:57:58 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read
>> client hello A
>> Sep 04 19:57:58 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
>> server hello A
>> Sep 04 19:57:58 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
>> certificate A
>> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key
>> exchange A
>> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
>> server done A
>> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data
>> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read
>> client certificate A
>> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read
>> client key exchange A
>> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read
>> client key exchange A
>> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read
>> client key exchange A
>> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read
>> client key exchange A
>> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read
>> client key exchange A
>> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read
>> certificate verify A
>> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read
>> finished A
>> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read
>> finished A
>> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
>> change cipher spec A
>> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write
>> finished A
>> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data
>> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation
>> finished successfully
>> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation
>> finished successfully
>> Sep 04 19:58:03 imap-login: Info: Login: user=<username>, method=LOGIN,
>> rip=11.22.33.44, lip=11.22.33.44, mpid=28781, TLS, TLSv1.2 with cipher
>> DHE-RSA-AES256-GCM-SHA384 (256/256 bits), session=<LklR9r2Vtb4uOzra>
>>
>>
>> Config:
>>
>> # egrep -v "^#|^$" 10-ssl.conf 10-auth.conf
>> 10-ssl.conf:ssl = required
>> 10-ssl.conf:ssl_cert = </path/to/fullchain.pem
>> 10-ssl.conf:ssl_key = </path/to/privkey.pem
>> 10-ssl.conf:ssl_dh = </path/to/dh.pem
>> 10-ssl.conf:ssl_min_protocol = TLSv1.1
>> 10-ssl.conf:ssl_cipher_list =
>> ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
>> 10-auth.conf:disable_plaintext_auth = yes
>> 10-auth.conf:auth_mechanisms = login
>> 10-auth.conf:!include auth-system.conf.ext
>>
>> # dovecot --version
>> 2.3.7.2 (3c910f64b)
>
> Just a wild guess as I didn’t try to configure Mail on Catalina yet, but it
> looks like your server only supports ‘DHE-RSA…’ ciphers.
> I think that modern systems prefers using ECDHE key exchange and would not be
> surprise if iOS requires it.
>
> What version of OpenSSL are you using ?
An interesting note from the Apple documentation about what is considered a
secured server:
• The link must support perfect forward secrecy (PFS) through Elliptic
Curve Diffie-Hellman Ephemeral (ECDHE) key exchange.
https://developer.apple.com/documentation/security/preventing_insecure_network_connections
<https://developer.apple.com/documentation/security/preventing_insecure_network_connections>
