Recent Projects

TLS_PROTOCOL, “SSL3_GET_RECORD:wrong version number” and how to troubleshoot a borked Courier IMAP SSL setup.

This post has been moved to http://demongin.org/blog/825

10 Responses to “TLS_PROTOCOL, “SSL3_GET_RECORD:wrong version number” and how to troubleshoot a borked Courier IMAP SSL setup.”

  1. Luis V says:
    March 11, 2009 at 10:33 am

    Hello Timothy, I from venezuela.

    I have the same problem, how do you repair or install SSL23?

    Thanks for help me!

  2. Timothy O'Connell says:
    March 11, 2009 at 11:02 am

    Well, it depends on your distribution of course, but your openssl package is probably a.) damaged or b.) really, really old.

    What happens when you execute the 

    # openssl ciphers

    command?

    If you get nothing or you’re missing the SSL3 cipher and you’re talking about a Debian system, I’d say try 

    # aptitude purge openssl && aptitude install --reinstall openssl
  3. Luis V says:
    March 11, 2009 at 1:09 pm

    Hello Timothy, thanks for reply…

    # openssl ciphers
    DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC2-CBC-MD5:RC4-SHA:RC4-MD5:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5

    # dpkg -s courier-imap
    Package: courier-imap
    Status: install ok installed
    Source: courier (0.53.3-5)
    Version: 4.1.1.20060828-5

    # dpkg -s openssl
    Package: openssl
    Status: install ok installed
    Version: 0.9.8c-4etch3

    Thanks

  4. Timothy O'Connell says:
    March 11, 2009 at 1:37 pm

    Well, it looks like the openssl package is probably not your problem.

    Assuming that you’ve got the “courier-imap-ssl” package installed, you’ll want to make sure that your mail server is configured correctly. Are you running postfix, by any chance? Because if you are, I might be able to help you out if your main.cf/master.cf are the source of your problem.

    What exactly _is_ your problem, btw? Are you getting the “wrong version number” message when you try to log in? What client are you using?

  5. Luis V says:
    March 11, 2009 at 2:06 pm

    I use Evolution Mail in Ubuntu, I access to my mail if I use TLS, or not secure; SSL not respond.

    Look this is my error:
    # openssl s_client -verify 3 -showcerts -connect 192.168.1.47:imap -starttls imap -ssl3

    verify depth is 3
    CONNECTED(00000003)
    19978:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1053:SSL alert number 40
    19978:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

    # openssl s_client -verify 3 -showcerts -connect 192.168.1.47:imap -starttls imap -ssl2
    verify depth is 3
    CONNECTED(00000003)
    write:errno=104

    # netstat -tanpu
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 127.0.0.1:60000 0.0.0.0:* LISTEN 2186/postgrey.pid –
    tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 2125/mysqld
    tcp 0 0 0.0.0.0:81 0.0.0.0:* LISTEN 2714/ispconfig_http
    tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 3028/proftpd: (acce
    tcp 0 0 192.168.1.47:53 0.0.0.0:* LISTEN 3007/named
    tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 3007/named
    tcp 0 0 0.0.0.0:4949 0.0.0.0:* LISTEN 2563/munin-node
    tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 3007/named
    tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 2975/master
    tcp6 0 0 :::993 :::* LISTEN 3971/couriertcpd
    tcp6 0 0 :::995 :::* LISTEN 2304/couriertcpd
    tcp6 0 0 :::110 :::* LISTEN 2290/couriertcpd
    tcp6 0 0 :::143 :::* LISTEN 3952/couriertcpd
    tcp6 0 0 :::80 :::* LISTEN 2889/apache2
    tcp6 0 0 :::22 :::* LISTEN 2417/sshd
    tcp6 0 0 ::1:953 :::* LISTEN 3007/named
    tcp6 0 0 :::25 :::* LISTEN 2975/master
    tcp6 0 0 :::443 :::* LISTEN 2889/apache2
    tcp6 0 1728 ::ffff:192.168.1.47:22 ::ffff:192.168.1.:50546 ESTABLISHED2465/0
    tcp6 0 0 ::ffff:192.168.1.47:22 ::ffff:192.168.1.:60916 ESTABLISHED3499/1
    udp 0 0 0.0.0.0:1026 0.0.0.0:* 3007/named
    udp 0 0 127.0.0.1:161 0.0.0.0:* 2411/snmpd
    udp 0 0 192.168.1.47:53 0.0.0.0:* 3007/named
    udp 0 0 127.0.0.1:53 0.0.0.0:* 3007/named
    udp 0 0 192.168.1.47:123 0.0.0.0:* 2471/ntpd
    udp 0 0 127.0.0.1:123 0.0.0.0:* 2471/ntpd
    udp 0 0 0.0.0.0:123 0.0.0.0:* 2471/ntpd
    udp6 0 0 :::1027 :::* 3007/named
    udp6 0 0 fe80::206:4fff:fe1d:123 :::* 2471/ntpd
    udp6 0 0 ::1:123 :::* 2471/ntpd
    udp6 0 0 :::123 :::* 2471/ntpd

    # cat main.cf
    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    biff = no
    append_dot_mydomain = no
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
    myhostname = xxxx #my domain
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    relayhost =
    mynetworks = 127.0.0.0/8
    mailbox_command = procmail -a “$EXTENSION”
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    inet_protocols = all
    smtpd_sasl_local_domain =
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    broken_sasl_auth_clients = yes
    smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,check_policy_service inet:127.0.0.1:60000
    smtpd_tls_auth_only = no
    smtp_use_tls = yes
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_CAfile = /etc/postfix/ssl/bundle.crt
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    virtual_maps = hash:/etc/postfix/usertable
    mydestination = /etc/postfix/localnamesh

    I’m replace my domain for xxx

  6. Luis V says:
    March 11, 2009 at 2:11 pm

    The server log say it:
    The server log say it:

    Mar 11 15:39:07 vzla imapd: Connection, ip=[::ffff:xxx.xxx.xxx.13]
    Mar 11 15:39:08 vzla imapd: couriertls: accept: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number
    Mar 11 15:39:08 vzla imapd: Disconnected, ip=[::ffff:xxx.xxx.xxx.13], time=1, starttls=1

  7. Timothy O'Connell says:
    March 11, 2009 at 3:21 pm

    First, I’d check your /etc/courier/imap-ssl file to make sure it has these directives: 

    IMAP_TLS_REQUIRED=0
COURIERTLS=/usr/bin/couriertls
TLS_PROTOCOL=SSL23
TLS_STARTTLS_PROTOCOL=TLS1

    Then, if that doesnt’t work, I’d try these directives in your main.cf and see if you have any luck: 

    smtpd_tls_security_level = may
tls_cipher_list = all
smtpd_use_tls = yes
smtpd_tls_auth_only = yes

    If you still get the same errors, maybe try a different client (e.g. thunderbird or kmail) and see what happens.

  8. Luis V says:
    March 11, 2009 at 4:00 pm

    Hello,

    In my /etc/courier/imapd-ssl I change:
    TLS_PROTOCOL=SSL3

    to

    TLS_PROTOCOL=SSL23

    I don’t have any result…

    In main.cf I add your code, but nothing happen, I have this error with IPOD to…

    I need configure /etc/postfix/master.cf ?

  9. Luis V says:
    March 11, 2009 at 4:20 pm

    Maybe SSL23 is not supported in my version of couriertls:

    # sudo grep SSL3 /usr/bin/couriertls
    Coincidencia en el fichero binario /usr/bin/couriertls Binary file /usr/bin/couriertls matches
    # sudo grep SSL23 /usr/bin/couriertls
    #

    Nothing…

  10. Luis V says:
    March 11, 2009 at 10:16 pm

    Thanks for help me…

    I’m resolved the problem, the server firewall was blocking the imap-ssl port…

    I’m happy now…

Leave a Reply