Hi,
I can not use SSL/TLS for my IMAP connection.
The Error message is stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol at /var/www/nextcloud/apps/mail/vendor/pear-pear.horde.org/Horde_Socket_Client/Horde/Socket/Client.php#293
I already have 'app.mail.verify-tls-peer' => false, in my config.php…
When I disable the IMAP-Security it works, but I dont want to use it without encryption for obvious reasons.
Wouldn’t it be a good start to describe IN DETAIL what settings you’ve already tried and if you try to access a self-hosted server or one of the common hosters instead of providing only an error message?!
I tried to connect to the IMAP Server of my hoster “nitrado” (vweb17.nitrado.net), so it is neither self-hosted nor a pretty common one.
If I connect without SSL/TLS or STARTTLS to Port 143 it works fine, but I want wo use SSL/TLS like the hoster recommends and how I use it on every other device of mine.
SMTP isn’t a problem either, it works with STARTTLS.
My firewall also shouldn’t be a problem, I whitelisted 993/tcp.
In most cases there shouldn’t be a requirement to whitelist outbound connections. Nevertheless you can use the openssl command to test if a connection can be established to the IMAP server:
Okay thank you for the command.
When I use it it gets me the following error:
$ openssl s_client -connect vweb17.nitrado.net:993
CONNECTED(00000003)
140137173480768:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1941:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 58 bytes and written 317 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
When I use it on another machine it just works:
SSL handshake has read 4948 bytes and written 502 bytes
Verification: OK
---
New, SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID: C995D7E6B86BC315878E18F06C2CA72CE66828A3A2344D145B3C3EEA5C31A53B
Session-ID-ctx:
Master-Key: DD48938EFB7F46B0C839D6CCCDF6B582736797CADFB3D9BC87E4BB47848BA1272E1584B6B1E998991B7C170E3FA9EC44
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 21 3a 84 71 07 36 1a 90-26 b6 45 7b 9a d0 c6 e3 !:.q.6..&.E{....
0010 - 55 de aa 11 a9 98 82 ca-d4 9c ce 7b 7b 47 4a e9 U..........{{GJ.
0020 - d9 c2 55 0e 7d 00 2d d5-d2 0f 36 05 6a aa b5 f9 ..U.}.-...6.j...
0030 - 6f 2e 45 79 2e f0 31 c8-28 9c 23 4e 89 6b 7b 40 o.Ey..1.(.#N.k{@
0040 - de 05 af c9 3f 20 1b 2b-77 af 19 4a a5 e8 09 64 ....? .+w..J...d
0050 - 5c ae 90 14 13 8a 76 c9-17 89 8a dd 72 82 3f 38 \.....v.....r.?8
0060 - fe 5a 39 49 8f 55 bc f1-6c c6 65 39 88 2b 48 6d .Z9I.U..l.e9.+Hm
0070 - 0e 80 be 40 3f 4e 79 cf-29 be 49 e9 dc 37 52 24 ...@?Ny.).I..7R$
0080 - e1 53 84 41 7f 13 d9 81-89 df 50 d2 bf 0b ab 1b .S.A......P.....
0090 - 55 9e ae 9e 65 53 b6 6b-a6 ed 7a b1 30 1e 11 5e U...eS.k..z.0..^
Start Time: 1595954369
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL ACL2=UNION] Courier-IMAP ready. Copyright 1998-2011 Double Precision, Inc. See COPYING for distribution information.
closed
So I guess its a TLS issue? On the working machine it says “TLSv1”, wich scares me a bit.
If I try to connect to help.nextcloud.com:443 for example it works with TLSv1.3. Maybe my server isnt capable of TLSv1 due to security reasons.
No, unfortunately this doesn’t help.
It is an TLS Problem. My server doesn’t support TLSv1 and my mail provider ONLY supports TLSv1.
Maybe I can find a way to activate TLSv1 on my machine.
Nonetheless I wrote a support ticket to my hoster so that they start using proper protocolls.
Because it is no Nextcloud problem anymore, it is okay for me if this thread gets closed.
usually there’s a special reason for devs to deactivate something… they don’t do it for fun. in this case i think it could have been for security reasons.
so maybe you’d find out that it might be not the best solution to re-enable TLSv1 but to find yourself a different emailhoster who would support TLSv2 and 3.
Which protocol can be used usually depends on how the server is configured and if the protocol is supported by the currently used software version. You should check if the latest version opf Courier-IMAP is installed and if you’ve configured it correctly. Usually everything below TLSv1.2 should be disabled by default.
BTW, the openssl command line tool knows the switches -tls1, -tls1_1, -tls1_2 and -tls1_3, which you can add to the command line to force the use of a specific protocol for testing purposes.
