0

I've included my original question below since it still demonstrates a symptom of the problem. In the general case, when I try to run the openssl client over IPv6 to a Dovecot (IMAP) server on port 993 or Nginx (HTTPS) server on port 443, they just stall at CONNECTED. Switching to IPv4 causes the key negotiation to complete almost immediately.

The firewall is configured the same for IPv4 and IPv6 traffic, and the server responds to the initial connection attempt, but doesn't complete the key exchange.

Any ideas?

I'm pretty sure it was working previously, but it isn't working now. My IPv6 is relatively new, but as shown below in the logs, IPv6 communicates with the Dovecot server. When I disable IPv6 on my machine and connect to the mail server, the key exchange completes fine and I can login:

Jun 16 18:12:56 mail dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Jun 16 18:12:56 mail dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Jun 16 18:12:56 mail dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization [a.b.c.d]
Jun 16 18:12:56 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization [a.b.c.d]
Jun 16 18:12:56 mail dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization [a.b.c.d]
Jun 16 18:12:56 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization [a.b.c.d]
Jun 16 18:12:56 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello [a.b.c.d]
Jun 16 18:12:56 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello [a.b.c.d]
Jun 16 18:12:56 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate [a.b.c.d]
Jun 16 18:12:56 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write key exchange [a.b.c.d]
Jun 16 18:12:56 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server done [a.b.c.d]
Jun 16 18:12:56 mail dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3/TLS write server done [a.b.c.d]
Jun 16 18:12:56 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server done [a.b.c.d]
Jun 16 18:12:56 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client key exchange [a.b.c.d]
Jun 16 18:12:56 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read change cipher spec [a.b.c.d]
Jun 16 18:12:56 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read finished [a.b.c.d]
Jun 16 18:12:56 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write session ticket [a.b.c.d]
Jun 16 18:12:56 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write change cipher spec [a.b.c.d]
Jun 16 18:12:56 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write finished [a.b.c.d]
Jun 16 18:12:56 mail dovecot: imap-login: Debug: SSL: where=0x20, ret=1: SSL negotiation finished successfully [a.b.c.d]
Jun 16 18:12:56 mail dovecot: imap-login: Debug: SSL: where=0x2002, ret=1: SSL negotiation finished successfully [a.b.c.d]
Jun 16 18:12:56 mail dovecot: imap-login: Login: user=<username_here>, method=PLAIN, rip=a.b.c.d, lip=e.f.g.h, mpid=6293, TLS, session=<session_id>

However, IPv6, the exchange never completes and thus I never login:

Jun 16 18:15:15 mail dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Jun 16 18:15:15 mail dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Jun 16 18:15:15 mail dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before SSL initialization [ipv6_address]
Jun 16 18:15:15 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization [ipv6_address]
Jun 16 18:15:15 mail dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: before SSL initialization [ipv6_address]
Jun 16 18:15:15 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before SSL initialization [ipv6_address]
Jun 16 18:15:15 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS read client hello [ipv6_address]
Jun 16 18:15:15 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server hello [ipv6_address]
Jun 16 18:15:15 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write certificate [ipv6_address]
Jun 16 18:15:15 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write key exchange [ipv6_address]
Jun 16 18:15:15 mail dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: SSLv3/TLS write server done [ipv6_address]
Jun 16 18:15:15 mail dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv3/TLS write server done [ipv6_address]

Does anyone have ideas to debug this further? I tried changing the permitted protocols, but it doesn't seem to impact things.

I've been using this to debug as it takes the mail client out of the picture:

openssl s_client -connect mail.domain.net:993 -tls1_2

On IPv4 it screams through, but IPv6 starts the negotiation which I can see on the server but fails just prior to the negotiation completing.

Brian
  • 181
  • 1
  • 11
  • Check your firewall. – Michael Hampton Jun 16 '19 at 22:33
  • I tried disabling the firewall entirely without effect. Does the TLS handshake invoke any other ports during negotiation? As you can see above, I can reach the Dovecot server with IPv6 over port 993. – Brian Jun 16 '19 at 22:40
  • As another data point, I switched to STARTTLS over port 143 with the same results. – Brian Jun 16 '19 at 22:42
  • Doing this also stalls from an IPv6 client: `openssl s_client -connect mail.domain.net:993 -tls1_2` – Brian Jun 16 '19 at 22:59
  • Actually I just noticed this doesn't seem to have any thing to do with Dovecot...running the above openssl command on my web server on port 443 has the same behavior. I'll edit the question – Brian Jun 16 '19 at 23:51
  • What is your IPv6 address? Who is the provider? What networking hardware is between your server and the Internet? – Michael Hampton Jun 17 '19 at 00:17
  • I clued into a simple test scenario and booted a DigitalOcean machine, disabled IPv4 (to force IPv6) and then ran the same command. Aside from some other issues I encountered, it seemed to complete the handshake just fine. That does indeed point to something between me and my Dovecot server. Should I delete or otherwise close this question since it points to an entirely different problem? – Brian Jun 17 '19 at 00:25
  • Okay, well, I just figured out the problem. It was with my PPPoE IPv6 connection at home here, and my Ubiquiti EdgeRouter...it was my mss-clamp setting which someone poked me about earlier, but I didn't clue in until now. This actually resolved my other issue here: https://serverfault.com/questions/970629/ubuntu-ssh-connection-hangs-when-i-run-ifconfig-with-ipv6-enabled/970637 – Brian Jun 17 '19 at 01:06
  • Hmmm.. That's because they're exactly the same issue! – Michael Hampton Jun 17 '19 at 03:58

0 Answers0