IMAP SSL/TLS Error

Hi,
I can not use SSL/TLS for my IMAP connection.
The Error message is
stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol at /var/www/nextcloud/apps/mail/vendor/pear-pear.horde.org/Horde_Socket_Client/Horde/Socket/Client.php#293

I already have 'app.mail.verify-tls-peer' => false, in my config.php…
When I disable the IMAP-Security it works, but I dont want to use it without encryption for obvious reasons.

Running Ubuntu 20.04, Apache, NextCloud 19.0.1, PHP 7.4

Thanks for your help,
Aaron

Wouldn’t it be a good start to describe IN DETAIL what settings you’ve already tried and if you try to access a self-hosted server or one of the common hosters instead of providing only an error message?! :wink:

I tried to connect to the IMAP Server of my hoster “nitrado” (vweb17.nitrado.net), so it is neither self-hosted nor a pretty common one.
If I connect without SSL/TLS or STARTTLS to Port 143 it works fine, but I want wo use SSL/TLS like the hoster recommends and how I use it on every other device of mine.
SMTP isn’t a problem either, it works with STARTTLS.
My firewall also shouldn’t be a problem, I whitelisted 993/tcp.

In most cases there shouldn’t be a requirement to whitelist outbound connections. Nevertheless you can use the openssl command to test if a connection can be established to the IMAP server:

openssl s_client -connect  <fqdn-of-mailserver>:993

Okay thank you for the command.
When I use it it gets me the following error:

    $ openssl s_client -connect vweb17.nitrado.net:993
    CONNECTED(00000003)
    140137173480768:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1941:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 58 bytes and written 317 bytes
    Verification: OK
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    Early data was not sent
    Verify return code: 0 (ok)
    ---

When I use it on another machine it just works:

SSL handshake has read 4948 bytes and written 502 bytes
Verification: OK
---
New, SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: C995D7E6B86BC315878E18F06C2CA72CE66828A3A2344D145B3C3EEA5C31A53B
    Session-ID-ctx:
    Master-Key: DD48938EFB7F46B0C839D6CCCDF6B582736797CADFB3D9BC87E4BB47848BA1272E1584B6B1E998991B7C170E3FA9EC44
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 21 3a 84 71 07 36 1a 90-26 b6 45 7b 9a d0 c6 e3   !:.q.6..&.E{....
    0010 - 55 de aa 11 a9 98 82 ca-d4 9c ce 7b 7b 47 4a e9   U..........{{GJ.
    0020 - d9 c2 55 0e 7d 00 2d d5-d2 0f 36 05 6a aa b5 f9   ..U.}.-...6.j...
    0030 - 6f 2e 45 79 2e f0 31 c8-28 9c 23 4e 89 6b 7b 40   o.Ey..1.(.#N.k{@
    0040 - de 05 af c9 3f 20 1b 2b-77 af 19 4a a5 e8 09 64   ....? .+w..J...d
    0050 - 5c ae 90 14 13 8a 76 c9-17 89 8a dd 72 82 3f 38   \.....v.....r.?8
    0060 - fe 5a 39 49 8f 55 bc f1-6c c6 65 39 88 2b 48 6d   .Z9I.U..l.e9.+Hm
    0070 - 0e 80 be 40 3f 4e 79 cf-29 be 49 e9 dc 37 52 24   ...@?Ny.).I..7R$
    0080 - e1 53 84 41 7f 13 d9 81-89 df 50 d2 bf 0b ab 1b   .S.A......P.....
    0090 - 55 9e ae 9e 65 53 b6 6b-a6 ed 7a b1 30 1e 11 5e   U...eS.k..z.0..^

    Start Time: 1595954369
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2011 Double Precision, Inc.  See COPYING for distribution information.
closed

So I guess its a TLS issue? On the working machine it says “TLSv1”, wich scares me a bit.
If I try to connect to help.nextcloud.com:443 for example it works with TLSv1.3. Maybe my server isnt capable of TLSv1 due to security reasons.

@jesus (first time i ever addressed jesus in public)

today i found some new feature which might be of help for you.
try the solution that this user gave here:

and hopefully it’s gonna help your case as well.

No, unfortunately this doesn’t help.
It is an TLS Problem. My server doesn’t support TLSv1 and my mail provider ONLY supports TLSv1.
Maybe I can find a way to activate TLSv1 on my machine.
Nonetheless I wrote a support ticket to my hoster so that they start using proper protocolls.

Because it is no Nextcloud problem anymore, it is okay for me if this thread gets closed.

usually there’s a special reason for devs to deactivate something… they don’t do it for fun. in this case i think it could have been for security reasons.

so maybe you’d find out that it might be not the best solution to re-enable TLSv1 but to find yourself a different emailhoster who would support TLSv2 and 3.

Which protocol can be used usually depends on how the server is configured and if the protocol is supported by the currently used software version. You should check if the latest version opf Courier-IMAP is installed and if you’ve configured it correctly. Usually everything below TLSv1.2 should be disabled by default.
BTW, the openssl command line tool knows the switches -tls1, -tls1_1, -tls1_2 and -tls1_3, which you can add to the command line to force the use of a specific protocol for testing purposes.