Link to home
Start Free TrialLog in
Avatar of Mark
Mark

asked on

Secure connection from Android to IMAP on Linux

I am running Dovecot 2.2.15 on Slackware64 14.1, kernel 3.10.17, openssl 1.0.2.

I can connect from my Android to this server just fine using IMAP and no security. Now I am trying to set up SSL security. On the Android I've tried both "SSL" and "SSL (Accept all certificates)". The suggested port is 993 which I've forwarded on the server to port 143. When I attempt to connect I get the following message on the Android:
Setup could not finish
Cannot safely connect to server.
(SSL handshake aborted : ssl=0x5fb440: Failure in SSL library, usually a protocol error
error:140770FC:SSL routines: SSL23_GET_SERVER_HELLO: unknown protocol (external/openssl/ss/s23_clnt.c:683 oxad1276bf:0x0000000000))
In my dovecot log I get the following:
Feb 28 12:21:52 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
Feb 28 12:21:52 auth: Debug: Read auth token secret from /usr/local/var/run/dovecot/auth-token-secret.dat
Feb 28 12:21:52 auth: Debug: auth client connected (pid=22360)
Feb 28 12:24:52 imap-login: Info: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=76.181.65.196, lip=64.129.23.80, session=<aGRJQykQOwBMtUHE>
Feb 28 12:25:18 imap(mark): Info: Disconnected for inactivity in=1325 out=124104

Open in new window

My dovecot config is:
$ doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
  driver = shadow
}
protocols = imap
ssl = no
userdb {
  driver = passwd
}

Open in new window

If I try connecting using TLS I get a message on the Android" "Setup could not finish/Server doesn't support TLS", but of course it does. We get and send messages with TLS all the time.

No idea what's wrong. Need help getting this working.
Avatar of gheist
gheist
Flag of Belgium image
openssl s_client -connect localhost:993 -ssl2
-ssl3
-tls1
-tls1_1
-tls1_2

What is really supported in the end?
Avatar of Mark
Mark

ASKER

Results of everything:
-ss2
> openssl s_client -cert /etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt -key /etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key -CAfile /etc/ssl/certs/OHPRS/GoDaddy/Apache/gd_bundle.crt -connect localhost:993 -ssl2
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 48 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : SSLv2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1425250717
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Open in new window

-ss3
>  openssl s_client -cert /etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt -key /etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key -CAfile /etc/ssl/certs/OHPRS/GoDaddy/Apache/gd_bundle.crt -connect localhost:993 -ssl3
CONNECTED(00000003)
depth=2 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certificates.godaddy.com/repository, CN = Go Daddy Secure Certification Authority, serialNumber = 07969287
verify return:1
depth=0 OU = Domain Control Validated, CN = mail.ohprs.org
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=mail.ohprs.org
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFSjCCBDKgAwIBAgIJAMX+DMgkLWAwMA0GCSqGSIb3DQEBBQUAMIHKMQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xMzAxBgNVBAsTKmh0dHA6Ly9jZXJ0
aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeTEwMC4GA1UEAxMnR28gRGFk
ZHkgU2VjdXJlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MREwDwYDVQQFEwgwNzk2
OTI4NzAeFw0xNTAyMTcwMTQ1MzhaFw0xNTA4MTUxNzQ5MzJaMDwxITAfBgNVBAsT
GERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEXMBUGA1UEAxMObWFpbC5vaHBycy5v
cmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCuQHgbpBtR4fs1R8DY
i2PKwM60VlhYsHi8Ha4v3EmyyxfjuDyHHD/CrQG9a7/29sVn/5JVdJr459XWeFqC
+NAfXuBWLqKwMrW228ocSFXuxKTwlOg4vnCHxu9LGqGwBEsxM4e6s6RvazZ9ZvOR
In77Sw1YbSrWFPcJugQbr0E9NojnnbnAqQByDI9/oIDs/3Tbc7RTWG+au20ykuJt
tFfzChBwR7d0LZTDuRg/Az9HTR3JANDxsFGKYq/u+h72y7xty1LJ+nR22sUn7h1x
8KwSoX/Tmg7JsJal6US2hV2vx6zPZYLwIsKeYDa9JnIIZFb06wiGdD20mxIu8o81
GZNLAgMBAAGjggG+MIIBujAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwNAYDVR0fBC0wKzApoCegJYYj
aHR0cDovL2NybC5nb2RhZGR5LmNvbS9nZHMxLTExMi5jcmwwUwYDVR0gBEwwSjBI
BgtghkgBhv1tAQcXATA5MDcGCCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVz
LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMIGABggrBgEFBQcBAQR0MHIwJAYIKwYB
BQUHMAGGGGh0dHA6Ly9vY3NwLmdvZGFkZHkuY29tLzBKBggrBgEFBQcwAoY+aHR0
cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5L2dkX2ludGVy
bWVkaWF0ZS5jcnQwHwYDVR0jBBgwFoAU/axhMpNsRdbi7oVfmrrndplozOcwLQYD
VR0RBCYwJIIObWFpbC5vaHBycy5vcmeCEnd3dy5tYWlsLm9ocHJzLm9yZzAdBgNV
HQ4EFgQUdOB5qNOxZnxoqUz1njt9TQrLBFowDQYJKoZIhvcNAQEFBQADggEBAFeu
BrAVjROfbeDLDiAB7FNwgSQi7vfrV1RmaDnTn8Zu8YwjR2h2CX96QDfYmYqeGeQa
nNn0RPaLijbGEgCq+GVVn77IJ/NSUQTyrWhOnjDbbn/nCNWRXtRNg3ldKIKyJeYU
6JZT7eL7W+C1xvr2BCE6jCll4Pj2vZ7zI+EHIH3Ff4jgpEIij27W8ZWUAEZnfYkS
Xdaj0f9klc7y7hGRLcV7erIaRaF+2hfzptvizsyf8JQO8ugId1bQxfQAHO37w9QN
i9e79qHpdvRmKRMhpwx6nS6wwG1cZnW0qf9Y7MVAaFW8IZDzpW0LafmsuILycO/e
UScRYcgkU5ZJUx8wXl4=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=mail.ohprs.org
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
---
No client certificate CA names sent
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 1911 bytes and written 354 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : SSLv3
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 14C2DDE0639E70EC924C79CCC3C88474EBC79D9C7B217587C7642EBBEA5A0D7C
    Session-ID-ctx:
    Master-Key: BED88995D4A87EA4EC46449BB369C3D8FE6D452DA967DF48EC7EAF8A0330B94A2314C47DDB34F4FE330DF7C0A88CCAA8
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1425250893
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

Open in new window

-tls1
>  openssl s_client -cert /etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt -key /etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key -CAfile /etc/ssl/certs/OHPRS/GoDaddy/Apache/gd_bundle.crt -connect localhost:993 -tls1
CONNECTED(00000003)
depth=2 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certificates.godaddy.com/repository, CN = Go Daddy Secure Certification Authority, serialNumber = 07969287
verify return:1
depth=0 OU = Domain Control Validated, CN = mail.ohprs.org
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=mail.ohprs.org
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFSjCCBDKgAwIBAgIJAMX+DMgkLWAwMA0GCSqGSIb3DQEBBQUAMIHKMQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xMzAxBgNVBAsTKmh0dHA6Ly9jZXJ0
aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeTEwMC4GA1UEAxMnR28gRGFk
ZHkgU2VjdXJlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MREwDwYDVQQFEwgwNzk2
OTI4NzAeFw0xNTAyMTcwMTQ1MzhaFw0xNTA4MTUxNzQ5MzJaMDwxITAfBgNVBAsT
GERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEXMBUGA1UEAxMObWFpbC5vaHBycy5v
cmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCuQHgbpBtR4fs1R8DY
i2PKwM60VlhYsHi8Ha4v3EmyyxfjuDyHHD/CrQG9a7/29sVn/5JVdJr459XWeFqC
+NAfXuBWLqKwMrW228ocSFXuxKTwlOg4vnCHxu9LGqGwBEsxM4e6s6RvazZ9ZvOR
In77Sw1YbSrWFPcJugQbr0E9NojnnbnAqQByDI9/oIDs/3Tbc7RTWG+au20ykuJt
tFfzChBwR7d0LZTDuRg/Az9HTR3JANDxsFGKYq/u+h72y7xty1LJ+nR22sUn7h1x
8KwSoX/Tmg7JsJal6US2hV2vx6zPZYLwIsKeYDa9JnIIZFb06wiGdD20mxIu8o81
GZNLAgMBAAGjggG+MIIBujAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwNAYDVR0fBC0wKzApoCegJYYj
aHR0cDovL2NybC5nb2RhZGR5LmNvbS9nZHMxLTExMi5jcmwwUwYDVR0gBEwwSjBI
BgtghkgBhv1tAQcXATA5MDcGCCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVz
LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMIGABggrBgEFBQcBAQR0MHIwJAYIKwYB
BQUHMAGGGGh0dHA6Ly9vY3NwLmdvZGFkZHkuY29tLzBKBggrBgEFBQcwAoY+aHR0
cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5L2dkX2ludGVy
bWVkaWF0ZS5jcnQwHwYDVR0jBBgwFoAU/axhMpNsRdbi7oVfmrrndplozOcwLQYD
VR0RBCYwJIIObWFpbC5vaHBycy5vcmeCEnd3dy5tYWlsLm9ocHJzLm9yZzAdBgNV
HQ4EFgQUdOB5qNOxZnxoqUz1njt9TQrLBFowDQYJKoZIhvcNAQEFBQADggEBAFeu
BrAVjROfbeDLDiAB7FNwgSQi7vfrV1RmaDnTn8Zu8YwjR2h2CX96QDfYmYqeGeQa
nNn0RPaLijbGEgCq+GVVn77IJ/NSUQTyrWhOnjDbbn/nCNWRXtRNg3ldKIKyJeYU
6JZT7eL7W+C1xvr2BCE6jCll4Pj2vZ7zI+EHIH3Ff4jgpEIij27W8ZWUAEZnfYkS
Xdaj0f9klc7y7hGRLcV7erIaRaF+2hfzptvizsyf8JQO8ugId1bQxfQAHO37w9QN
i9e79qHpdvRmKRMhpwx6nS6wwG1cZnW0qf9Y7MVAaFW8IZDzpW0LafmsuILycO/e
UScRYcgkU5ZJUx8wXl4=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=mail.ohprs.org
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
---
No client certificate CA names sent
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 2055 bytes and written 419 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: C8B4FFF7A1046FEDDFAD51389BA576679AC35772985A8CC23314AF61622F3BEB
    Session-ID-ctx:
    Master-Key: 2EE43CF54F5E324FD4F07608680359D8F46782FCBE9999F11E2B27FA8FCE4A6EEA82B924C3248C15832CDC572D83E9F8
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 1e 56 52 93 a4 95 35 e1-62 2d b0 43 9f e2 97 a0   .VR...5.b-.C....
    0010 - c3 86 2e eb b7 71 77 d1-5b 7d 63 83 a7 01 85 a3   .....qw.[}c.....
    0020 - 57 22 6a 81 45 64 4c dd-0b f2 06 0c ee 24 fb b7   W"j.EdL......$..
    0030 - af f4 b8 e8 f9 8d 6c 7c-57 af 61 4b 81 a0 37 3e   ......l|W.aK..7>
    0040 - 44 04 43 10 bb 4d b6 ee-72 ee 3c 6d f7 6b 6e 8b   D.C..M..r.<m.kn.
    0050 - fc e0 9b 27 23 9f 75 29-4e 89 55 61 c4 c4 1c c3   ...'#.u)N.Ua....
    0060 - 30 16 16 d8 7c 19 84 28-2d 99 12 33 10 97 2c f7   0...|..(-..3..,.
    0070 - 66 2d b1 59 32 c4 df a4-47 cb d3 7d 4c 6e ca 7b   f-.Y2...G..}Ln.{
    0080 - 1f e7 20 5a 43 bc 42 e0-ec 2b 4f 3b 7e b5 ed e2   .. ZC.B..+O;~...
    0090 - e4 c1 50 ea 0e 5a ef 04-db 74 46 5c da af 69 8b   ..P..Z...tF\..i.

    Start Time: 1425250992
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

Open in new window

-tls1_1
>  openssl s_client -cert /etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt -key /etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key -CAfile /etc/ssl/certs/OHPRS/GoDaddy/Apache/gd_bundle.crt -connect localhost:993 -tls1_1
CONNECTED(00000003)
depth=2 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certificates.godaddy.com/repository, CN = Go Daddy Secure Certification Authority, serialNumber = 07969287
verify return:1
depth=0 OU = Domain Control Validated, CN = mail.ohprs.org
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=mail.ohprs.org
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFSjCCBDKgAwIBAgIJAMX+DMgkLWAwMA0GCSqGSIb3DQEBBQUAMIHKMQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xMzAxBgNVBAsTKmh0dHA6Ly9jZXJ0
aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeTEwMC4GA1UEAxMnR28gRGFk
ZHkgU2VjdXJlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MREwDwYDVQQFEwgwNzk2
OTI4NzAeFw0xNTAyMTcwMTQ1MzhaFw0xNTA4MTUxNzQ5MzJaMDwxITAfBgNVBAsT
GERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEXMBUGA1UEAxMObWFpbC5vaHBycy5v
cmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCuQHgbpBtR4fs1R8DY
i2PKwM60VlhYsHi8Ha4v3EmyyxfjuDyHHD/CrQG9a7/29sVn/5JVdJr459XWeFqC
+NAfXuBWLqKwMrW228ocSFXuxKTwlOg4vnCHxu9LGqGwBEsxM4e6s6RvazZ9ZvOR
In77Sw1YbSrWFPcJugQbr0E9NojnnbnAqQByDI9/oIDs/3Tbc7RTWG+au20ykuJt
tFfzChBwR7d0LZTDuRg/Az9HTR3JANDxsFGKYq/u+h72y7xty1LJ+nR22sUn7h1x
8KwSoX/Tmg7JsJal6US2hV2vx6zPZYLwIsKeYDa9JnIIZFb06wiGdD20mxIu8o81
GZNLAgMBAAGjggG+MIIBujAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwNAYDVR0fBC0wKzApoCegJYYj
aHR0cDovL2NybC5nb2RhZGR5LmNvbS9nZHMxLTExMi5jcmwwUwYDVR0gBEwwSjBI
BgtghkgBhv1tAQcXATA5MDcGCCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVz
LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMIGABggrBgEFBQcBAQR0MHIwJAYIKwYB
BQUHMAGGGGh0dHA6Ly9vY3NwLmdvZGFkZHkuY29tLzBKBggrBgEFBQcwAoY+aHR0
cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5L2dkX2ludGVy
bWVkaWF0ZS5jcnQwHwYDVR0jBBgwFoAU/axhMpNsRdbi7oVfmrrndplozOcwLQYD
VR0RBCYwJIIObWFpbC5vaHBycy5vcmeCEnd3dy5tYWlsLm9ocHJzLm9yZzAdBgNV
HQ4EFgQUdOB5qNOxZnxoqUz1njt9TQrLBFowDQYJKoZIhvcNAQEFBQADggEBAFeu
BrAVjROfbeDLDiAB7FNwgSQi7vfrV1RmaDnTn8Zu8YwjR2h2CX96QDfYmYqeGeQa
nNn0RPaLijbGEgCq+GVVn77IJ/NSUQTyrWhOnjDbbn/nCNWRXtRNg3ldKIKyJeYU
6JZT7eL7W+C1xvr2BCE6jCll4Pj2vZ7zI+EHIH3Ff4jgpEIij27W8ZWUAEZnfYkS
Xdaj0f9klc7y7hGRLcV7erIaRaF+2hfzptvizsyf8JQO8ugId1bQxfQAHO37w9QN
i9e79qHpdvRmKRMhpwx6nS6wwG1cZnW0qf9Y7MVAaFW8IZDzpW0LafmsuILycO/e
UScRYcgkU5ZJUx8wXl4=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=mail.ohprs.org
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
---
No client certificate CA names sent
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 2071 bytes and written 435 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: CCA82A75073F06E3ABB4FC1B85501E235DE59F91C50A99EFEDEFEE7950E6C186
    Session-ID-ctx:
    Master-Key: 018619716BE7738B2A68ADD55AB16E13D43DC261F57D46FFCA9BCEB421DB3EEC4D6F3EA7076C81BBD8A2A0CE76F7272F
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - ad 44 a8 eb da 72 e7 a9-d7 4b 59 36 76 c3 4c 5e   .D...r...KY6v.L^
    0010 - 20 55 1b d9 f7 c3 26 d4-1a bc 44 ca 67 1e be c5    U....&...D.g...
    0020 - fb b5 0c c8 b4 d2 75 1c-a0 b1 63 ea 16 a9 db e9   ......u...c.....
    0030 - 07 b7 ca 8f e2 51 db 77-21 09 7a 30 cf 16 e2 6b   .....Q.w!.z0...k
    0040 - d0 8a 09 4e b2 94 a8 e5-89 4d 42 a0 00 5b c9 e4   ...N.....MB..[..
    0050 - 00 aa 45 df f1 8f d9 d1-d3 e3 e8 94 0b 96 e8 cb   ..E.............
    0060 - 4e 45 43 87 13 8b 7e cc-45 9b 48 04 8a b5 f1 01   NEC...~.E.H.....
    0070 - 0e 3e bc 14 d0 a8 b1 b2-2e 83 cc e1 09 18 c1 f3   .>..............
    0080 - 1b 4d 1a b0 c9 1c 6b d9-b4 92 dc af 36 ee fa 55   .M....k.....6..U
    0090 - 83 a5 4f cc c3 33 29 2c-71 fe e8 d1 0b 3a db fd   ..O..3),q....:..

    Start Time: 1425251083
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

Open in new window

-tls1_2
>  openssl s_client -cert /etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt -key /etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key -CAfile /etc/ssl/certs/OHPRS/GoDaddy/Apache/gd_bundle.crt -connect localhost:993 -tls1_2
CONNECTED(00000003)
depth=2 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certificates.godaddy.com/repository, CN = Go Daddy Secure Certification Authority, serialNumber = 07969287
verify return:1
depth=0 OU = Domain Control Validated, CN = mail.ohprs.org
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=mail.ohprs.org
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFSjCCBDKgAwIBAgIJAMX+DMgkLWAwMA0GCSqGSIb3DQEBBQUAMIHKMQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xMzAxBgNVBAsTKmh0dHA6Ly9jZXJ0
aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeTEwMC4GA1UEAxMnR28gRGFk
ZHkgU2VjdXJlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MREwDwYDVQQFEwgwNzk2
OTI4NzAeFw0xNTAyMTcwMTQ1MzhaFw0xNTA4MTUxNzQ5MzJaMDwxITAfBgNVBAsT
GERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEXMBUGA1UEAxMObWFpbC5vaHBycy5v
cmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCuQHgbpBtR4fs1R8DY
i2PKwM60VlhYsHi8Ha4v3EmyyxfjuDyHHD/CrQG9a7/29sVn/5JVdJr459XWeFqC
+NAfXuBWLqKwMrW228ocSFXuxKTwlOg4vnCHxu9LGqGwBEsxM4e6s6RvazZ9ZvOR
In77Sw1YbSrWFPcJugQbr0E9NojnnbnAqQByDI9/oIDs/3Tbc7RTWG+au20ykuJt
tFfzChBwR7d0LZTDuRg/Az9HTR3JANDxsFGKYq/u+h72y7xty1LJ+nR22sUn7h1x
8KwSoX/Tmg7JsJal6US2hV2vx6zPZYLwIsKeYDa9JnIIZFb06wiGdD20mxIu8o81
GZNLAgMBAAGjggG+MIIBujAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwNAYDVR0fBC0wKzApoCegJYYj
aHR0cDovL2NybC5nb2RhZGR5LmNvbS9nZHMxLTExMi5jcmwwUwYDVR0gBEwwSjBI
BgtghkgBhv1tAQcXATA5MDcGCCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVz
LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMIGABggrBgEFBQcBAQR0MHIwJAYIKwYB
BQUHMAGGGGh0dHA6Ly9vY3NwLmdvZGFkZHkuY29tLzBKBggrBgEFBQcwAoY+aHR0
cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5L2dkX2ludGVy
bWVkaWF0ZS5jcnQwHwYDVR0jBBgwFoAU/axhMpNsRdbi7oVfmrrndplozOcwLQYD
VR0RBCYwJIIObWFpbC5vaHBycy5vcmeCEnd3dy5tYWlsLm9ocHJzLm9yZzAdBgNV
HQ4EFgQUdOB5qNOxZnxoqUz1njt9TQrLBFowDQYJKoZIhvcNAQEFBQADggEBAFeu
BrAVjROfbeDLDiAB7FNwgSQi7vfrV1RmaDnTn8Zu8YwjR2h2CX96QDfYmYqeGeQa
nNn0RPaLijbGEgCq+GVVn77IJ/NSUQTyrWhOnjDbbn/nCNWRXtRNg3ldKIKyJeYU
6JZT7eL7W+C1xvr2BCE6jCll4Pj2vZ7zI+EHIH3Ff4jgpEIij27W8ZWUAEZnfYkS
Xdaj0f9klc7y7hGRLcV7erIaRaF+2hfzptvizsyf8JQO8ugId1bQxfQAHO37w9QN
i9e79qHpdvRmKRMhpwx6nS6wwG1cZnW0qf9Y7MVAaFW8IZDzpW0LafmsuILycO/e
UScRYcgkU5ZJUx8wXl4=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=mail.ohprs.org
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 2049 bytes and written 519 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 24E6CE4D1412D92C5EE96130DB98EE9B9D4586EB079584FA4B176C5739BE7232
    Session-ID-ctx:
    Master-Key: 8F138E21A5A3F3C5C382461E728082A128047BC8BD8014B1FC69C7ABB5D390F5770BE5F8B92FC38D25CFB92636DE8070
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - aa bd 71 da 36 b9 e1 8a-79 b7 2a 9f 7d 03 27 d2   ..q.6...y.*.}.'.
    0010 - af 36 d9 f9 99 f7 e0 ae-1f 69 ea 4d bf ed 02 b0   .6.......i.M....
    0020 - 0e b3 f8 03 12 11 64 02-d7 02 cb a8 ee ff ce 21   ......d........!
    0030 - 50 f0 87 c8 cb 3e bf 9d-47 e1 80 fc 3e 58 2b f4   P....>..G...>X+.
    0040 - 4a 3c 7b 76 b5 94 3c e7-42 e2 37 05 91 60 6f c3   J<{v..<.B.7..`o.
    0050 - af 15 4c b9 fd 89 bf f7-74 dd 0f 73 d6 7a 61 ed   ..L.....t..s.za.
    0060 - 40 8a 31 77 cd 1f 20 63-a4 88 8b bb d7 54 83 46   @.1w.. c.....T.F
    0070 - 9d b4 ee 24 2b 59 9e 19-5e fc 7a 70 fe a4 d2 24   ...$+Y..^.zp...$
    0080 - cc d4 55 a9 df 90 59 fb-8f 3e 16 cb 78 5f a8 03   ..U...Y..>..x_..
    0090 - 82 cc 14 55 01 e5 e3 6c-80 74 d0 9b 38 9a 91 4c   ...U...l.t..8..L

    Start Time: 1425251184
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.

Open in new window

All but the -ssl2 wait for input. The -ssl2 just returnes to the command prompt. The dovecot log for -ssl2 gives:
Mar 01 18:09:30 auth: Debug: auth client connected (pid=17720)
Mar 01 18:09:30 imap-login: Info: Disconnected (no auth attempts in 0 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS handshaking: SSL_accept() failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol, session=<QKqhMUIQZQB/AAAB>

Open in new window

The Dovecot log for the other types gives:

Mar 01 18:04:43 auth: Debug: auth client connected (pid=15575)

And stays waiting until I CTRL-C the command at which point the dovecot log gives:
Mar 01 18:05:02 imap-login: Info: Disconnected (no auth attempts in 19 secs): user=<>, rip=127.0.0.1, lip=127.0.0.1, TLS: Disconnected, session=<hw2xIUIQVAB/AAAB>

Open in new window

Does this tell you anything?

btw, latest doveconf, note that ssl cert info is specified. 
> doveconf -n
# 2.2.15: /usr/local/etc/dovecot/dovecot.conf
# OS: Linux 3.10.17 x86_64 Slackware 14.1
auth_debug_passwords = yes
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = plain
disable_plaintext_auth = no
info_log_path = /var/log/dovecot_info
mail_location = maildir:~/Maildir
passdb {
  driver = shadow
}
protocols = imap
ssl_cert = </etc/ssl/certs/OHPRS/GoDaddy/Apache/c5fe0cc8242d6030.crt
ssl_key = </etc/ssl/certs/OHPRS/GoDaddy/mail.ohprs.org.key
userdb {
  driver = passwd
}

Open in new window

When attempting to connect from Android, SSL, port 993 I get:
Setup could not finish
Cannot safely connect to server.
(java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.)
Dovecot log gives:
Mar 01 18:13:44 auth: Debug: Loading modules from directory: /usr/local/lib/dovecot/auth
Mar 01 18:13:44 auth: Debug: Read auth token secret from /usr/local/var/run/dovecot/auth-token-secret.dat
Mar 01 18:13:44 auth: Debug: auth client connected (pid=19396)
:
: three minutes later ...
:
Mar 01 18:16:44 imap-login: Info: Disconnected: Inactivity (no auth attempts in 180 secs): user=<>, rip=76.181.65.196, lip=64.129.23.80, TLS, session=<DLh+S0IQ3wBMtUHE>

Open in new window

Note that on subsequent attempts I only get the "Debug: auth client connected" line, not the "Debug: Loading modules" or "Debug: Read auth token secret" lines.
ASKER CERTIFIED SOLUTION
Avatar of Mark
Mark
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Mark
Mark

ASKER

I've requested that this question be closed as follows:

Accepted answer: 0 points for jmarkfoley's comment #a40638744
Assisted answer: 500 points for gheist's comment #a40637897

for the following reason:

I figured out the problem.
Avatar of gheist
gheist
Flag of Belgium image
Did I help somehow?
Avatar of Mark
Mark

ASKER

yes, your suggestion to test the -tls_1, -tls_2 put me on track to try a different security mechanism on the Android. Still don't know why SSL wouldn't work, but no matter, I prefer TLS anyway. In any case I much prefer respondants to my questions to be someone who know what they're talking about, which you do, rather than point mongers who post the first google link they come across and waste my time. Take the points