TLS_PROTOCOL, “SSL3_GET_RECORD:wrong version number” and how to troubleshoot a borked Courier IMAP SSL setup.

Posted by Timothy O'Connell in General on March 10, 2009
10 Comments

I was recently doing some server hardening on the computer that serves my email when, upon attempting to check my admin account, I got the following completely unhelpful, vanilla "encryption protocol" error from Thunderbird:

Thunderbird can't connect securely to because the site uses a security protocol which isn't enabled.

So, naturally, I whipped out T-bird's about:config, grepped the list for "ssl" and made sure that most of the contemporary ciphers were enabled (i.e. set to true). And once I was satisfied that things were on the up and up with my client, I decided to go have a look at the server.

Tailing mail.log, I noted this sort of thing happening over and over: 

Mar 10 13:06:31 lana postfix/postfix-script[18701]: starting the Postfix mail system
Mar 10 13:06:31 lana postfix/master[18702]: daemon started -- version 2.5.5, configuration /etc/postfix
Mar 10 13:07:27 lana imapd-ssl: couriertls: connect: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

This message sort of blew my mind: I was essentially being told that my client, a Debian (Lenny) workstation running Thunderbird, shared no openssl ciphers with my email server, a Debian (Lenny) box out in the wild.

Not being the sort to ignore log warnings, I decided to verify. From the client:

gonzo:/# openssl ciphers
DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC2-CBC-MD5:RC4-SHA:RC4-MD5:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5

A fairly robust list. From the server:

lana:/# openssl ciphers
DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC2-CBC-MD5:RC4-SHA:RC4-MD5:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5

Same cot-damn list.

"So what gives?"

I Googled around a bit and learned about "s_client", an argument for the openssl tool that lets you debug an SSL exchange. I ran the following on my client:

gonzo:/# openssl s_client -connect mail.XXXXXXX.com:993 -ssl3

It showed me that the port was open, but that there were handshake problems: 

26282:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1053:SSL alert number 40
26282:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

From that cryptic output, I decided that it was time to dig into the SSL conf files over on the server.

After a little preliminary troubleshooting--a quick scan of /etc/postfix/main.cf and /etc/postfix/master.cf to check for obvious shenanigans--I decided to have a look at /etc/courier/imapd-ssl and found the source of my new SSL auth problem: I had, in my recent efforts beef up security, managed to overwrite my previous /etc/courier/imapd-ssl with a vanilla version of that conf file that had a big 'ol she in front of the argument that determines exactly which ciphers the IMAP daemon will use to authenticate requests: TLS_PROTOCOL was commented completely out, as was TLS_STARTTLS_PROTOCOL.

I took a quick look at the surrounding comments in the conf file and set both of them to "SSL23":

TLS_PROTOCOL=SSL23
TLS_STARTTLS_PROTOCOL=SSL23

I then reloaded postfix, attempted to connect with my client and, to my dismay, saw this roll up in the mail.log: 

Mar 10 13:55:34 lana imapd-ssl: couriertls: connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

This message, while cryptic enough to send me off to scratch my head and pore over comments on OsDir and the Ubuntu fora, was one that I eventually figured out. It turns out that those two TLS protocol directives do not want to be identical.

So I chaged the file thus:

TLS_STARTTLS_PROTOCOL=TLS1

And, once I had reloaded the IMAP daemon and postfix, voila: a clean log-in! 

Mar 10 13:56:52 lana imapd-ssl: Connection, ip=[::ffff:XX.XXX.XXX.XXX]
Mar 10 13:56:52 lana imapd-ssl: LOGIN, user=admin, ip=[::ffff:XX.XXX.XXX.XXX], port=[42130], protocol=IMAP

10 Comments

 Luis V

Hello Timothy, I from venezuela.

I have the same problem, how do you repair or install SSL23?

Thanks for help me!

March 11, 2009
 Timothy O'Connell

Well, it depends on your distribution of course, but your openssl package is probably a.) damaged or b.) really, really old.

What happens when you execute the 

# openssl ciphers

command?

If you get nothing or you’re missing the SSL3 cipher and you’re talking about a Debian system, I’d say try 

# aptitude purge openssl && aptitude install --reinstall openssl
March 11, 2009
 Luis V

Hello Timothy, thanks for reply…

# openssl ciphers
DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC2-CBC-MD5:RC4-SHA:RC4-MD5:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5

# dpkg -s courier-imap
Package: courier-imap
Status: install ok installed
Source: courier (0.53.3-5)
Version: 4.1.1.20060828-5

# dpkg -s openssl
Package: openssl
Status: install ok installed
Version: 0.9.8c-4etch3

Thanks

March 11, 2009
 Timothy O'Connell

Well, it looks like the openssl package is probably not your problem.

Assuming that you’ve got the “courier-imap-ssl” package installed, you’ll want to make sure that your mail server is configured correctly. Are you running postfix, by any chance? Because if you are, I might be able to help you out if your main.cf/master.cf are the source of your problem.

What exactly _is_ your problem, btw? Are you getting the “wrong version number” message when you try to log in? What client are you using?

March 11, 2009
 Luis V

I use Evolution Mail in Ubuntu, I access to my mail if I use TLS, or not secure; SSL not respond.

Look this is my error:
# openssl s_client -verify 3 -showcerts -connect 192.168.1.47:imap -starttls imap -ssl3

verify depth is 3
CONNECTED(00000003)
19978:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1053:SSL alert number 40
19978:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

# openssl s_client -verify 3 -showcerts -connect 192.168.1.47:imap -starttls imap -ssl2
verify depth is 3
CONNECTED(00000003)
write:errno=104

# netstat -tanpu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:60000 0.0.0.0:* LISTEN 2186/postgrey.pid –
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 2125/mysqld
tcp 0 0 0.0.0.0:81 0.0.0.0:* LISTEN 2714/ispconfig_http
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 3028/proftpd: (acce
tcp 0 0 192.168.1.47:53 0.0.0.0:* LISTEN 3007/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 3007/named
tcp 0 0 0.0.0.0:4949 0.0.0.0:* LISTEN 2563/munin-node
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 3007/named
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 2975/master
tcp6 0 0 :::993 :::* LISTEN 3971/couriertcpd
tcp6 0 0 :::995 :::* LISTEN 2304/couriertcpd
tcp6 0 0 :::110 :::* LISTEN 2290/couriertcpd
tcp6 0 0 :::143 :::* LISTEN 3952/couriertcpd
tcp6 0 0 :::80 :::* LISTEN 2889/apache2
tcp6 0 0 :::22 :::* LISTEN 2417/sshd
tcp6 0 0 ::1:953 :::* LISTEN 3007/named
tcp6 0 0 :::25 :::* LISTEN 2975/master
tcp6 0 0 :::443 :::* LISTEN 2889/apache2
tcp6 0 1728 ::ffff:192.168.1.47:22 ::ffff:192.168.1.:50546 ESTABLISHED2465/0
tcp6 0 0 ::ffff:192.168.1.47:22 ::ffff:192.168.1.:60916 ESTABLISHED3499/1
udp 0 0 0.0.0.0:1026 0.0.0.0:* 3007/named
udp 0 0 127.0.0.1:161 0.0.0.0:* 2411/snmpd
udp 0 0 192.168.1.47:53 0.0.0.0:* 3007/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 3007/named
udp 0 0 192.168.1.47:123 0.0.0.0:* 2471/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 2471/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 2471/ntpd
udp6 0 0 :::1027 :::* 3007/named
udp6 0 0 fe80::206:4fff:fe1d:123 :::* 2471/ntpd
udp6 0 0 ::1:123 :::* 2471/ntpd
udp6 0 0 :::123 :::* 2471/ntpd

# cat main.cf
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
myhostname = xxxx #my domain
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command = procmail -a “$EXTENSION”
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,check_policy_service inet:127.0.0.1:60000
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/bundle.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
virtual_maps = hash:/etc/postfix/usertable
mydestination = /etc/postfix/localnamesh

I’m replace my domain for xxx

March 11, 2009
 Luis V

The server log say it:
The server log say it:

Mar 11 15:39:07 vzla imapd: Connection, ip=[::ffff:xxx.xxx.xxx.13]
Mar 11 15:39:08 vzla imapd: couriertls: accept: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number
Mar 11 15:39:08 vzla imapd: Disconnected, ip=[::ffff:xxx.xxx.xxx.13], time=1, starttls=1

March 11, 2009
 Timothy O'Connell

First, I’d check your /etc/courier/imap-ssl file to make sure it has these directives: 

IMAP_TLS_REQUIRED=0
COURIERTLS=/usr/bin/couriertls
TLS_PROTOCOL=SSL23
TLS_STARTTLS_PROTOCOL=TLS1

Then, if that doesnt’t work, I’d try these directives in your main.cf and see if you have any luck: 

smtpd_tls_security_level = may
tls_cipher_list = all
smtpd_use_tls = yes
smtpd_tls_auth_only = yes

If you still get the same errors, maybe try a different client (e.g. thunderbird or kmail) and see what happens.

March 11, 2009
 Luis V

Hello,

In my /etc/courier/imapd-ssl I change:
TLS_PROTOCOL=SSL3

to

TLS_PROTOCOL=SSL23

I don’t have any result…

In main.cf I add your code, but nothing happen, I have this error with IPOD to…

I need configure /etc/postfix/master.cf ?

March 11, 2009
 Luis V

Maybe SSL23 is not supported in my version of couriertls:

# sudo grep SSL3 /usr/bin/couriertls
Coincidencia en el fichero binario /usr/bin/couriertls Binary file /usr/bin/couriertls matches
# sudo grep SSL23 /usr/bin/couriertls
#

Nothing…

March 11, 2009
 Luis V

Thanks for help me…

I’m resolved the problem, the server firewall was blocking the imap-ssl port…

I’m happy now…

March 11, 2009

Leave a comment

WP_Big_City