www.ritlabs.com [Topic: do not update to 8.5.2 if you use Gmail. TLS]

do not update to 8.5.2 if you use Gmail. TLS

Thu, 26 Mar 2020 15:56:10 +0200

do not update to 8.5.2 if you use Gmail. TLS in forum The Bat! - Configuring the E-mail Client.
I can't get gmail to work with 9.1.6. Works great with Postbox.
26 March 2020 15:56:10, John Wilkins.

do not update to 8.5.2 if you use Gmail. TLS

Wed, 18 Mar 2020 13:39:14 +0200

do not update to 8.5.2 if you use Gmail. TLS in forum The Bat! - Configuring the E-mail Client.
The Bat! since version 9.1 supports AES GCM
18 March 2020 13:39:14, Maxim Masiutin.

do not update to 8.5.2 if you use Gmail. TLS

Sun, 08 Jul 2018 18:02:16 +0300

do not update to 8.5.2 if you use Gmail. TLS in forum The Bat! - Configuring the E-mail Client.
There are plans for future versions of The Bat! to support AES CGM cipher suites.
08 July 2018 18:02:16, Maxim Masiutin.

do not update to 8.5.2 if you use Gmail. TLS

Sat, 07 Jul 2018 11:20:31 +0300

do not update to 8.5.2 if you use Gmail. TLS in forum The Bat! - Configuring the E-mail Client.

====quote====
Maxim Masiutin wrote:
You can use The Bat! 8.5.4 available to download from https://www.ritlabs.com/en/products/thebat/download.php

This version resolves TLS 1.2 compatibility issues. Connection failures were caused by mail server servers which aborted the connection unless The Bat! sends signature_algorithms ClientHello extension on TLS 1.2. To resolve this incompatibility, The Bat! since version 8.5.4 always sends the signature_algorithms extension during TLS 1.2 handshake.
=============

Thanks for the update, however I can't still download email from Gmail even with 8.5.4, server still reports TLS error: Handshake failure. According to the log, it started happening with 8.4 on 2018-07-06 around 21:00 UTC.

I'm using pop.gmail.com, running The Bat with ====code====

/TLS_VERSION_RANGE:3-3

============= and using Wireshark I see that it's sending
====code====

           Extension: signature_algorithms
                    Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
                    Signature Algorithm: ecdsa_sha1 (0x0203)
                    Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                    Signature Algorithm: rsa_pkcs1_sha1 (0x0201)

=============

but server immediately responds with Handshake failure. I'm not running any antivirus besides Windows Defender. Could you please look into it? What other information can I provide for you to debug? Thank you!

UPDATE

When /TLS_VERSION_RANGE:3-3 is removed I can connect just fine. Debugged the issue a bit and the reason Gmail rejects the connection with /TLS_VERSION_RANGE:3-3 is that in that case The Bat advertises cipher suites that Gmail doesn't support, see High-Tech Bridge SSLScan results.

The Bat's advertised cipher suites (16 suites) without /TLS_VERSION_RANGE:3-3:
====code====

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
TLS_RSA_WITH_RC4_128_SHA (0x0005)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
TLS_RSA_WITH_RC4_128_MD5 (0x0004)

=============
The Bat's advertised cipher Suites (5 suites) with /TLS_VERSION_RANGE:3-3: ====code====

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)

=============
Gmail supports these on TLS 1.2: ====code====

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384

=============
And Gmails preferred suites for TLS 1.2 are:
====code====

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

============= So The Bat with /TLS_VERSION_RANGE:3-3 advertises only AES-CBC SHA256 ciphersuites, while Gmail uses AES-GCM and ChaCha20-Poly1305 ciphersuites with SHA256.

Pretty please, can we get Gmail's preferred cipher suites in The Bat too and enabled when only TLS 1.2 is requested? Thanks!
07 July 2018 11:20:31, foo bar.

do not update to 8.5.2 if you use Gmail. TLS

Thu, 05 Jul 2018 10:57:54 +0300

do not update to 8.5.2 if you use Gmail. TLS in forum The Bat! - Configuring the E-mail Client.

====quote====
Maxim Masiutin wrote:
You can use The Bat! 8.5.4 available to download from https://www.ritlabs.com/en/products/thebat/download.php

This version resolves TLS 1.2 compatibility issues. Connection failures were caused by mail server servers which aborted the connection unless The Bat! sends signature_algorithms ClientHello extension on TLS 1.2. To resolve this incompatibility, The Bat! since version 8.5.4 always sends the signature_algorithms extension during TLS 1.2 handshake.
=============
Hello,

It works well with The Bat! 8.5.4 . I have no longer TLS problems.
I can now reactivate Kaspersky.

Thanks again.
05 July 2018 10:57:54, Bertrand Yvers.

do not update to 8.5.2 if you use Gmail. TLS

Wed, 04 Jul 2018 23:54:36 +0300

do not update to 8.5.2 if you use Gmail. TLS in forum The Bat! - Configuring the E-mail Client.
You can use The Bat! 8.5.4 available to download from https://www.ritlabs.com/en/products/thebat/download.php

This version resolves TLS 1.2 compatibility issues. Connection failures were caused by mail server servers which aborted the connection unless The Bat! sends signature_algorithms ClientHello extension on TLS 1.2. To resolve this incompatibility, The Bat! since version 8.5.4 always sends the signature_algorithms extension during TLS 1.2 handshake.
04 July 2018 23:54:36, Maxim Masiutin.

do not update to 8.5.2 if you use Gmail. TLS

Wed, 04 Jul 2018 11:18:54 +0300

do not update to 8.5.2 if you use Gmail. TLS in forum The Bat! - Configuring the E-mail Client.
Hello,

The problem is now solved.

I have Kaspersky Internet Security 2019.

I desactivate Kaspersky SSL/TSL Root certificate and now it works like a charm.

The problem was Kaspersky Root Certificate.

Do you have Kaspersky anti-virus?

It works now with the BAT 8.5.2 TLS.
04 July 2018 11:18:54, Bertrand Yvers.

do not update to 8.5.2 if you use Gmail. TLS

Tue, 03 Jul 2018 20:52:03 +0300

do not update to 8.5.2 if you use Gmail. TLS in forum The Bat! - Configuring the E-mail Client.
davide, why can not you accept that the bug is in TB? I know about 8 other people.

davide, proč nemůžete přijmout, že chyba je v TB? Znám 8 dalších lidí.
03 July 2018 20:52:03, Krnac Martin.

do not update to 8.5.2 if you use Gmail. TLS

Tue, 03 Jul 2018 19:54:56 +0300

do not update to 8.5.2 if you use Gmail. TLS in forum The Bat! - Configuring the E-mail Client.
What you're saying is that because it doesn't work for *you* it doesn't work for others. I looked at the beta test logs and Office365 was successfully tested. Obviously, there is some nuance that applies to you, but not necessarily the rest of the world. And there will always be bugs to fix as there are far too many variations of a product as complex as TB! and the world of email to guarantee everything always works. There is a volunteer group to test beta releases and you might consider joining it. Active participation is always welcome there.

david
03 July 2018 19:54:56, david kirk.

do not update to 8.5.2 if you use Gmail. TLS

Tue, 03 Jul 2018 19:05:15 +0300

do not update to 8.5.2 if you use Gmail. TLS in forum The Bat! - Configuring the E-mail Client.
Commenting on the 1st reply: 8.5.2 is broken, it does not work with my Office365 account too for example. If an update to an email client breaks a key function even in some cases - it is broken by definition, and this thread's caption is in order. Some of us depend on our emails, updates MUST be tested thoroughly before going public. This is not a beta or a pre-release.
03 July 2018 19:05:15, D Y.

do not update to 8.5.2 if you use Gmail. TLS

Sun, 01 Jul 2018 12:52:58 +0300

do not update to 8.5.2 if you use Gmail. TLS in forum The Bat! - Configuring the E-mail Client.
Hello there,

Same error with 8.5.2.

I have a google account, a ymail account , a gmx account.

Three errors with TLS 1.2.

30.06.2018, 10:25:50: IMAP - Connecting IMAP server imap.gmail.com to port 993
30.06.2018, 10:25:50: IMAP - TLS handshake started
! 30.06.2018, 10:25:50: IMAP - TLS handshake failed. Existing connections have been forced terminated by a remote host

30.06.2018, 10:25:50: IMAP - Connecting IMAP server imap.gmail.com to port 993
30.06.2018, 10:25:50: IMAP - TLS handshake started
! 30.06.2018, 10:25:50: IMAP - TLS handshake failed. Existing connections have been forced terminated by a remote host
01 July 2018 12:52:58, Bertrand Yvers.

do not update to 8.5.2 if you use Gmail. TLS

Sat, 30 Jun 2018 21:30:58 +0300

do not update to 8.5.2 if you use Gmail. TLS in forum The Bat! - Configuring the E-mail Client.
If I may make a couple of suggestions to you:

1. First, you made a post on something that wanted no assistance. If you believe you have a real bug, please send to support.

2. Second, please do not announce what does not work unless you know for certain that it does not. Regarding this thread, I am using 8.5.2 with Gmail TLS 64-bit and it works fine.

Other than that, welcome to the forum.

david
30 June 2018 21:30:58, david kirk.

do not update to 8.5.2 if you use Gmail. TLS

Sat, 30 Jun 2018 20:44:10 +0300

do not update to 8.5.2 if you use Gmail. TLS in forum The Bat! - Configuring the E-mail Client.
do not update to 8.5.2 if you use Gmail. TLS

does not work version 8.5.2, does not work with google gmail

last functional version 8.5
30 June 2018 20:44:10, Krnac Martin.