> Le 4 sept. 2019 à 20:11, Henrik Johansson via dovecot <dovecot@dovecot.org> a 
> écrit :
> 
> Hi,
> 
> Have anyone else experienced problems using Dovecot with the mail app in beta 
> releases of iOS/iPadOS 13?
> 
> TLS is failing for my, it have worked fine for years and I am on the latest 
> Dovecot version now, it works fine with older clients but not with the ones 
> upgraded:
> 
> Sep 04 19:49:16 imap-login: Debug: SSL: where=0x10, ret=1: before/accept 
> initialization
> Sep 04 19:49:16 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept 
> initialization
> Sep 04 19:49:16 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read 
> client hello A
> Sep 04 19:49:16 imap-login: Debug: SSL alert: where=0x4008, ret=552: fatal 
> handshake failure
> Sep 04 19:49:16 imap-login: Debug: SSL: where=0x2002, ret=-1: error
> Sep 04 19:49:16 imap-login: Debug: SSL: where=0x2002, ret=-1: error
> Sep 04 19:49:16 imap-login: Debug: SSL error: SSL_accept() failed: 
> error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
> Sep 04 19:49:16 imap-login: Debug: SSL: where=0x2002, ret=-1: error
> Sep 04 19:49:16 imap-login: Debug: SSL error: SSL_accept() failed: 
> error:140800FF:SSL routines:ssl3_accept:unknown state
> Sep 04 19:49:16 imap-login: Info: Disconnected (no auth attempts in 0 secs): 
> user=<>, rip=11.22.33.44, lip=11.22.33.44, TLS handshaking: SSL_accept() 
> failed: error:140800FF:SSL routines:ssl3_accept:unknown state, 
> session=<lz7m2r2rjPouOvrk>
> 
> Working client:
> 
> Sep 04 19:57:58 imap-login: Debug: SSL: where=0x10, ret=1: before/accept 
> initialization
> Sep 04 19:57:58 imap-login: Debug: SSL: where=0x2001, ret=1: before/accept 
> initialization
> Sep 04 19:57:58 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read 
> client hello A
> Sep 04 19:57:58 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
> client hello A
> Sep 04 19:57:58 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
> server hello A
> Sep 04 19:57:58 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
> certificate A
> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write key 
> exchange A
> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
> server done A
> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data
> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
> client certificate A
> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read 
> client key exchange A
> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read 
> client key exchange A
> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read 
> client key exchange A
> Sep 04 19:58:01 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read 
> client key exchange A
> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
> client key exchange A
> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
> certificate verify A
> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3 read 
> finished A
> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 read 
> finished A
> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
> change cipher spec A
> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 write 
> finished A
> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3 flush data
> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation 
> finished successfully
> Sep 04 19:58:03 imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation 
> finished successfully
> Sep 04 19:58:03 imap-login: Info: Login: user=<username>, method=LOGIN, 
> rip=11.22.33.44, lip=11.22.33.44, mpid=28781, TLS, TLSv1.2 with cipher 
> DHE-RSA-AES256-GCM-SHA384 (256/256 bits), session=<LklR9r2Vtb4uOzra>
> 
> 
> Config:
> 
> # egrep -v "^#|^$" 10-ssl.conf 10-auth.conf
> 10-ssl.conf:ssl = required
> 10-ssl.conf:ssl_cert = </path/to/fullchain.pem
> 10-ssl.conf:ssl_key = </path/to/privkey.pem
> 10-ssl.conf:ssl_dh = </path/to/dh.pem
> 10-ssl.conf:ssl_min_protocol = TLSv1.1
> 10-ssl.conf:ssl_cipher_list = 
> ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
> 10-auth.conf:disable_plaintext_auth = yes
> 10-auth.conf:auth_mechanisms = login
> 10-auth.conf:!include auth-system.conf.ext
> 
> # dovecot --version
> 2.3.7.2 (3c910f64b)

Just a wild guess as I didn’t try to configure Mail on Catalina yet, but it 
looks like your server only supports ‘DHE-RSA…’ ciphers.
I think that modern systems prefers using ECDHE key exchange and would not be 
surprise if iOS requires it.

What version of OpenSSL are you using ?


Reply via email to