SSL no shared cipher unable to connect to dovecot imap server

[adityamj]

K9 fails to connect to dovecot imap with all levels of ciphers selected from https://mozilla.github.io/server-side-tls/ssl-config-generator/
Server side log :

dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=157.49.x.x lip=192.x.x.x, TLS handshaking: SSL_accept() failed: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher, session=<X/RcAtJl/gCdMW/A>

Expected behavior

K9 should connect to dovecot

Actual behavior

Unable to connect to imap server

Versions

Versions tested: 5.403 from playstore and f-droid
Android version: Oreo 8.0
Phone: Oneplus 5t

Server conf:
Openssl version: 1.0.1t
Dovecot version: 2.1.7

Cipher suites tested:

• CDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

• ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

• ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP

Steps to reproduce

1. Install K9
2. Add an IMAP account hosted on yahoo.com or dovecot with above mentioned ssl ciphers

[cketti]

K-9 Mail uses Android's TLS stack. The only thing we do is blacklist some outdated ciphers and SSLv3. See https://github.com/k9mail/k-9/blob/04f18d8803c1a2f99ddc96c108f2c5e29ce49301/k9mail-library/src/main/java/com/fsck/k9/mail/ssl/DefaultTrustedSocketFactory.java

If there's a problem it's more likely an issue with your server configuration or Android version than a bug in K-9 Mail.

[adityamj]

It is probably an issue with Android 8.0 as same version of K9 works well on 7.x. I was wondering if there is anything that can be done internally in K9.

…

On February 23, 2018 1:03:53 AM UTC, cketti ***@***.***> wrote: K-9 Mail uses Android's TLS stack. The only thing we do is blacklist some outdated ciphers and SSLv3. See https://github.com/k9mail/k-9/blob/04f18d8803c1a2f99ddc96c108f2c5e29ce49301/k9mail-library/src/main/java/com/fsck/k9/mail/ssl/DefaultTrustedSocketFactory.java If there's a problem it's more likely an issue with your server configuration or Android version than a bug in K-9 Mail. -- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: #3202 (comment)

[cketti]

There is no user-configurable behavior for TLS connections in K-9 Mail. And we currently have no plans to work around vendor-specific issues.

[kodiakz]

Just want add another me too. I got my new mobile and installed K9 for mailing. My old phone was Android 7 with a different imap-app. My fail2ban rule locked me out from the beginning from my mail server. I will not add ignores for K9 into my firewall settings, so I am dropping K9 until it is fixed. I confirm K9 on Android 7 does produce this error as well (Huawei Nova)!

[njeyaakili]

You might want to reevaluate your fail2ban rule as it is more likely the source of the problem than K9.

[adityamj]

Hey, I was able to get k9 working with dovecot on Android 8. Required a bit of tuning server side but it worked. IIRC creating a new dhparam 4096 fixed it for me. Cheers, Aditya

…

On 29-Jul-2018, at 3:24 PM, kodiakz ***@***.***> wrote: Just want add another me too. I got my new mobile and installed K9 for mailing. My old phone was Android 7 with a different imap-app. My fail2ban rule locked me out from the beginning from my mail server. I will not add ignores for K9 into my firewall settings, so I am dropping K9 until it is fixed. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.