I see from this topic K9 Broken after latest Android 14 update - Support - K-9 Mail Forum that the community has known for a while there’s an issue with K-9 Mail and the underlying Android support files attempting to force a TLS 1.3 connection on a server that only does TLS 1.2. Any news on this?
What some may not realize is that this issue will rear it’s ugly head when upgrading phones, without changing the verion of K-9 (Version 9.0 in both cases). In my case, this is happening when attempting to connect to a server that gets a solid “A” from SSL Labs (TLS 1.2 of OK in their eyes). I’ve used K-9 Mail for over 10 years, and am hating the fact I have to abandon it because of this.
I can connect unsecured, by the way, over both IMAP and POP. But that won’t do.
I’ve done a clean (new) install with manual settings, and an import install. Both give the same reults:
“Read error: ssl=xxxxxxxxxx: Failure in SSL library, usually a protocol error
error:100000f0:SSL
routines:OPENSSL_internal:UNSUPPORTED_PROTOCOL (external/boringssl/src/ssl/handshake_client.cc:714
0xxxxxxxxxxx:0x00000000)”
Based on the outcome of the topic that you linked, this is something that your email provider needs to fix with an upgrade to their mailserver software.
Thanks for the reply. Unfortunately, it’s not very helpful. The links you provided point to several security weaknesses and required fixes, but not a single one applies here.
min. TLS 1.2: server is already running 1.2, with 1.1 disabled.
min key 2048 bits: server already running 2048 bit key (as the link said, public CAs have not issued 1024 bit keys since 2015).
min bits for Diffie 2048: already set to 2048 in the server.
Use public CA: Duh. Already using public CA.
Weak ciphers: Already disabled weak ciphers, such as RS2 and RS4 variants.
As i said, and you seemed to ignore, SSL Labs online tests give this server an “A,” checking every one of the suggestions provided in those links.
Well clearly something is not compatible between your server and the client on your device. No one here is going to be able to reproduce the issue based on the available information, so other than working with your provider, I don’t know what else to tell you.
I, too, have been using K-9 Mail for over 10 years, and have never encountered the issue. I am sorry that I can’t be more help.
Again, thanks for the reply. Sorry I’m a little snarky. As it turns out, I AM the provider. I administer the Exchange server, and I’ve been doing this a long time. I’m not only frustrated because I cannot use something I’ve used for a decade, but i literally crashed the Exchange server trying to make this work. I spent my whole Saturday getting it back online.
I’m not really posting here looking for a fix, because i don’t believe the community has one. As you said, a server upgrade is all that will solve it (maybe).
The REAL reason i am posting is to correct the erroneous information already here: i am convinced that the K-9 software will only accept TLS 1.2 when it senses an older version of Android. If it senses a newer version of Android, it REQUIRES TLS 1.3, no ifs and or buts. If i had known that, i wouldn’t have wasted two days on this and i wouldn’t have crashed that server.
It’s not about what K-9 detects and decides to use. It’s about what the OS provides to K-9.
K-9 does not come with it’s own security stack. Instead, it relies on the one provided by the OS. There is no flag that can be set and no options to declare. It’s just “I want a TLS connection” and the OS shall provide.
The same applies to the lack of a crypto stack. K-9 requires an external provider auch as Open Key Chain in order to facilitate PGP/GnuPG encryption and signing.
Sidenote: Fiddling with Exchange and Windows’ buggy security stack… Bad idea. What could work is disabling the built-in SSL/TLS handler in IIS and instead use OpenSSL. It’s also better compatible with ACME if you are using Let’s Encrypt.
You may want to give FairEmail a try. It comes with its own implementation of a security stack which directly interacts with S/MIME as well.
If you must use Exchange, you will get best performance with an MUA implementing that proprietary protocol: Outlook. Almost all of the MUAs rely on IMAP fallback or an incomplete reverse engineered implementation (Blumail, …).