Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OC_User_IMAP : uses old TLS versions ans ciphers #11741

Closed
Liberasys opened this issue Oct 10, 2018 · 3 comments
Closed

OC_User_IMAP : uses old TLS versions ans ciphers #11741

Liberasys opened this issue Oct 10, 2018 · 3 comments

Comments

@Liberasys
Copy link

Steps to reproduce

  1. nextcloud server v13
  2. dovecot v2.2.27 on Debian
  3. configure OC_User_IMAP in order to make IMAP authentication

Expected behaviour

IMAP connection through STARTTLS OK with modern ciphers and last TLS version (1.2)

Actual behaviour

User cannot login because of bad protocol and cipher negociation. Reported by dovecot:
Oct 10 16:51:16 mail2 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=[...], lip=[...], TLS handshaking: SSL_accept() failed: error:1417D102:SSL routines:tls_process_client_hello:unsupported protocol, session=<nkiF/OB3wIo+0hlk>
Oct 10 16:53:44 mail2 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=[...], lip=[...], TLS handshaking: SSL_accept() failed: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher, session=<rZVSBeF3LIs+0hlk>

Server configuration

Operating system:
Debian 9.5

Web server:
Apache 2.4.25-3 + FPM

Database:
Posgresql 9.6.10

PHP version:
7.0.30

Nextcloud version: (see Nextcloud admin page)
13.0.6

Updated from an older Nextcloud/ownCloud or fresh install:
fresh install

Where did you install Nextcloud from:
followed install guide, with community link and procedure

Signing status:
No errors have been found.

List of activated apps:
not relevant

Nextcloud configuration:
relevant part:
'user_backends' => array (
0 => array (
'class' => 'OC_User_IMAP',
'arguments' => array (
0 => '{mail2.liberasys.com:143/imap/tls}'
),
),
),

==== stop here for standard form :-) =====
Relevant part for IMAP external auth:
In Dovecot server, in file /etc/dovecot/conf.d/10-ssl.conf, it is:

  • NOT WORKING when I set:
    ssl_protocols = !SSLv3 !TLSv1 !TLSv1.1
    ssl_cipher_list = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
  • WORKING when I set:
    ssl_protocols = !SSLv3
    ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL

Thus, I think that the IMAP client part of Nextcloud remote auth is using old libraries or bad default parameters. This force me to use insecure SSL parameters on the IMAP server.
Can you investigate please ? Maybe I am missing something ?

Thank you,
Best Regards,
Gautier.
@nextcloud-bot
Copy link
Member

GitMate.io thinks possibly related issues are #9455 (Constantly running old versions of Nextcloud), #3145 (Old file versions not removed), #6797 (Versions doesn't remove old file versions as documented), #6155 (Can't access to old revision/version of a file (Collabora)), and #7399 (Version diclosure).

@dadosch
Copy link

dadosch commented Nov 2, 2018

I have the same problem as well. As long as dovecot doesn't offer TLSv1, it doesn't work. There must be a old library or something which is not able to use TLSv1.1 or 1.2

@ChristophWurst
Copy link
Member

Dup of nextcloud/user_external#13, fixed in nextcloud/user_external#49

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ChristophWurst @dadosch @nextcloud-bot @Liberasys