N0ury / ImapNote2

Sync your notes between Android, iOs devices and different accounts like Gmail, iCloud and others
GNU General Public License v3.0
37 stars 31 forks source link

TLS handshake error #21

Open hdatma opened 8 years ago

hdatma commented 8 years ago

The following holds on ImapNotes2 from Google Play: https://play.google.com/store/apps/details?id=com.Pau.ImapNotes2&hl=en

What you see is the relevant log entry from the Dovecot IMAPS server:

016-06-07T11:12:26.32349 2016-06-07T13:12:26 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=[omitted-client-ip], lip=[omitted-server-ip], TLS handshaking: SSL_accept() failed: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown: SSL alert number 46

2016-06-07T11:12:27.16930 2016-06-07T13:12:27 imap-login: Info: Disconnected (no auth attempts in 1 secs): user=<>, rip=[omitted-client-ip], lip=[omitted-server-ip], TLS, TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)

As evident from the log, the client fails the TLS handshake. The problem is specific to ImapNotes2, because Apple Notes and Thunderbird sync correctly.

The server Dovecot is configured to accept the following:

ssl_protocols = TLSv1 TLSv1.1 TLSv1.2 ssl_cipher_list = ECDHE+AEAD:ECDHE-RSA-AES256-SHA384 auth_mechanisms = cram-md5

N0ury commented 8 years ago

Hi,

I use a dovecot imap server with the following: ssl_protocols = !SSLv2 !SSLv3 no ssl_cipher_list auth_mechanisms = plain disable_plaintext_auth = no and it works fine in the log, I have: dovecot: imap-login: Login: user=, method=PLAIN, rip=ww.xx.yy.zz, lip=ww.xx.yy.zz, mpid=30687, TLS, session=

But I must admit I'm not comfortable with TLS/SSL, and I have spent much time making ImapNotes2 work w/ and w/o TLS/SSL ans w/ and w/o certificate, and with STARTTLS.

Can you please create an account for me, and send me credentials at nb@dagami.org. I'll do some tests to try to undestand what's happening

Regards

Noury

hdatma commented 8 years ago

Hi, Sorry, this is a production system whose accounting rules do not allow guests.

Both Apple Notes and Thunderbird connect and sync very well, and therefore, the problem is on the specific client, namely, the combination of OS and software.

Our servers use libressl, where SSLv2 and SSLv3 are disabled/removed from source. The client giving problems is an Android 5.1.1, which supports both TLSv1.2 and ECDHE-RSA-AES256-SHA (0xc014), and is not compatible with sslv2 handshakes: https://www.ssllabs.com/ssltest/viewClient.html?name=Android&version=5.0.0&key=88

Are you sure ImapNotes2 can shake hands using TLSv1?