MacOS/iOS 下与 Web/邮件服务器的安全连接失败

tag-icon tag-icon linux ssl-certificate mac ios
MacOS/iOS 下与 Web/邮件服务器的安全连接失败

我很绝望:我将两个域名从一台服务器移到了另一台运行顺畅的服务器上。我使用 Letsencrypt 证书保护了这两个域名(网站和邮件)。现在这些域名的所有者抱怨邮件服务器无法正常工作。但这不可能,因为其他域名可以发送和接收电子邮件。在进行故障排除时,我注意到在 macOS 或 iOS 上无法从我的服务器检索任何网页。(连接被拒绝 - 无法建立安全连接)。在 Windows/Linux/Android 下,所有这些都没有问题,邮件通信也运行正常。那么,到底是怎么回事?看起来 Apple 无法使用创建的 Letsencrypt 证书。我无法想象。

有人对此有什么想法吗? 谢谢您的帮助。

服务器:Ubuntu 20.04,Plesk 管理

客户端:macOS Catalina、Apple Mail

---[编辑]--- 我跑了

openssl s_client -connect maildomain.com:465

在 Windows 计算机和 Mac 上检查与我的邮件服务器的连接情况。PC 上的结果:

    CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = maildomain.com
verify return:1
---
Certificate chain
 0 s:CN = maildomain.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFJzCCBA+gAwIBAgISBBHHETtaspqio7t1ZKYQ36xHMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTEwMDUwNzQyMjVaFw0yMjAx ... etc.
-----END CERTIFICATE-----
subject=CN = maildomain.com

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4676 bytes and written 395 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: DDE8ED4DBF7BD8E8F2D411EDE00C7522C0A15927E3D0C75F58F174B7464270D3
    Session-ID-ctx:
    Master-Key: 6D3167E0283ED9BA1F6427841212C8BAF37FF75998B369DE4184618EF9BFBE9F8860809CC9B7xxxxxxxxxxxxxxxxxxxx
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 21 be ab 05 b8 95 30 14-cf c1 ff 7d 98 aa 3c 82   !.....0....}..<.   ... etc...

    Start Time: 1633683311
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
220 my.server.com ESMTP Postfix (Debian/GNU)
quit
221 2.0.0 Bye
closed

以下是 Mac 上的响应:

CONNECTED(00000003)
341:error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version:S23_clnt.c:596:

因此,看起来 Mac 无法处理 TLS1.2/TLS1.3......

有什么建议吗?

相关内容