Hi everyone,
recently I migrated my mail server from an Ubuntu 16.04 box to an Ubuntu 20.04
box, so from dovecot 2.2.22 to 2.3.7.2, and to openssl 1.1.1.f. While everything
else works fine, I have one important user stuck on an iOS 9 device that I need
to support for a while longer, with which the IMAP TLS handshake keeps failing.
From the logs:
TLS handshaking: SSL_accept() failed: error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported protocol
I didn?t find a debug option to dump the TLS handshake details, so I analyzed a
packet dump and found the following capabilities and cipher suites offered by
the client:
Transport Layer Security
TLSv1 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 149
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 145
Version: TLS 1.0 (0x0301)
Random:
5fef787ac06215d0a4edefd17602fadf409ab0512e04e62ade6192f2499f4896
Session ID Length: 0
Cipher Suites Length: 50
Cipher Suites (25 suites)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 54
Extension: server_name (len=19)
Type: server_name (0)
Length: 19
Server Name Indication extension
Extension: supported_groups (len=8)
Extension: ec_point_formats (len=2)
Type: ec_point_formats (11)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
EC point format: uncompressed (0)
Extension: status_request (len=5)
Type: status_request (5)
Length: 5
Certificate Status Type: OCSP (1)
Responder ID list Length: 0
Request Extensions Length: 0
Extension: signed_certificate_timestamp (len=0)
Type: signed_certificate_timestamp (18)
Length: 0
I already tweaked the dovecot-ssl config down with "ssl_min_protocol =
TLSv1? and included ECDHE-ECDSA-AES256-SHA in the cipher list, but the client
still won?t connect.
Does anyone have an idea what else I could try?
Thanks
Maik
On 01 Jan 2021, at 16:01, Maik Musall <lists at musall.de> wrote:> recently I migrated my mail server from an Ubuntu 16.04 box to an Ubuntu 20.04 box, so from dovecot 2.2.22 to 2.3.7.2, and to openssl 1.1.1.f. While everything else works fine, I have one important user stuck on an iOS 9 device that I need to support for a while longer, with which the IMAP TLS handshake keeps failing. From the logs:macOS 9 does not support any currently valid and support TLS version and cannot communicate on the Internet securely.> Does anyone have an idea what else I could try?Have them get an iPad for mail? I don't think they can even use secure webmail. -- All he [Vimes] knew was that you couldn't hope to try for the big stuff, like world peace and happiness, but you might just about be able to achieve some tiny deed that'd make the world, in a small way, a better place. Like shooting someone.
On 01 Jan 2021, at 16:01, Maik Musall <lists at musall.de> wrote:> recently I migrated my mail server from an Ubuntu 16.04 box to an Ubuntu 20.04 box, so from dovecot 2.2.22 to 2.3.7.2, and to openssl 1.1.1.f. While everything else works fine, I have one important user stuck on an iOS 9 device that I need to support for a while longer, with which the IMAP TLS handshake keeps failing. From the logs:macOS 9 does not support any currently valid and support TLS version and cannot communicate on the Internet securely.> Does anyone have an idea what else I could try?Have them get an iPad for mail? I don't think they can even use secure webmail. -- All he [Vimes] knew was that you couldn't hope to try for the big stuff, like world peace and happiness, but you might just about be able to achieve some tiny deed that'd make the world, in a small way, a better place. Like shooting someone.
On 01 Jan 2021, at 16:01, Maik Musall <lists at musall.de> wrote:> recently I migrated my mail server from an Ubuntu 16.04 box to an Ubuntu 20.04 box, so from dovecot 2.2.22 to 2.3.7.2, and to openssl 1.1.1.f. While everything else works fine, I have one important user stuck on an iOS 9 device that I need to support for a while longer, with which the IMAP TLS handshake keeps failing. From the logs:macOS 9 does not support any currently valid and support TLS version and cannot communicate on the Internet securely.> Does anyone have an idea what else I could try?Have them get an iPad for mail? I don't think they can even use secure webmail. -- All he [Vimes] knew was that you couldn't hope to try for the big stuff, like world peace and happiness, but you might just about be able to achieve some tiny deed that'd make the world, in a small way, a better place. Like shooting someone.
On 01 Jan 2021, at 16:01, Maik Musall <lists at musall.de> wrote:> recently I migrated my mail server from an Ubuntu 16.04 box to an Ubuntu 20.04 box, so from dovecot 2.2.22 to 2.3.7.2, and to openssl 1.1.1.f. While everything else works fine, I have one important user stuck on an iOS 9 device that I need to support for a while longer, with which the IMAP TLS handshake keeps failing. From the logs:macOS 9 does not support any currently valid and support TLS version and cannot communicate on the Internet securely.> Does anyone have an idea what else I could try?Have them get an iPad for mail? I don't think they can even use secure webmail. -- All he [Vimes] knew was that you couldn't hope to try for the big stuff, like world peace and happiness, but you might just about be able to achieve some tiny deed that'd make the world, in a small way, a better place. Like shooting someone.