djangoproject.com | python.org | nginx.org
version seven.
  http://demongin.org
demongin.org - TLS_PROTOCOL, "SSL3_GET_RECORD:wrong version number"

TLS_PROTOCOL, "SSL3_GET_RECORD:wrong version number"

How to troubleshoot a borked Courier IMAP SSL setup.


Sunday, 2010-03-28 | AlmostEffortless, Careerism

I was recently doing some server hardening on the computer that serves my email when, upon attempting to check my admin account, I got the following completely unhelpful, vanilla "encryption protocol" error from Thunderbird: 

Thunderbird can't connect securely to <mailserver> because the site uses a security protocol which isn't enabled.</mailserver>
So, naturally, I whipped out T-bird's about:config, grepped the list for "ssl" and made sure that most of the contemporary ciphers were enabled (i.e. set to true). And once I was satisfied that things were on the up and up with my client, I decided to go have a look at the server.

Tailing mail.log, I noted this sort of thing happening over and over:
Mar 10 13:06:31 lana postfix/postfix-script[18701]: starting the Postfix mail system
Mar 10 13:06:31 lana postfix/master[18702]: daemon started -- version 2.5.5, configuration /etc/postfix
Mar 10 13:07:27 lana imapd-ssl: couriertls: connect: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
This message sort of blew my mind: I was essentially being told that my client, a Debian (Lenny) workstation running Thunderbird, shared no openssl ciphers with my email server, a Debian (Lenny) box out in the wild.

Not being the sort to ignore log warnings, I decided to verify. From the client: 
gonzo:/# openssl ciphers
DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC2-CBC-MD5:RC4-SHA:RC4-MD5:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5
A fairly robust list. From the server: 
lana:/# openssl ciphers
DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC2-CBC-MD5:RC4-SHA:RC4-MD5:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5
Same cot-damn list.

"So what gives?"

I Googled around a bit and learned about "s_client", an argument for the openssl tool that lets you debug an SSL exchange. I ran the following on my client:
gonzo:/# openssl s_client -connect mail.XXXXXXX.com:993 -ssl3
It showed me that the port was open, but that there were handshake problems:
26282:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1053:SSL alert number 4026282:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:
From that cryptic output, I decided that it was time to dig into the SSL conf files over on the server.

After a little preliminary troubleshooting--a quick scan of /etc/postfix/main.cf and /etc/postfix/master.cf to check for obvious shenanigans--I decided to have a look at /etc/courier/imapd-ssl and found the source of my new SSL auth problem: I had, in my recent efforts beef up security, managed to overwrite my previous /etc/courier/imapd-ssl with a vanilla version of that conf file that had a big 'ol she in front of the argument that determines exactly which ciphers the IMAP daemon will use to authenticate requests: TLS_PROTOCOL was commented completely out, as was TLS_STARTTLS_PROTOCOL.

I took a quick look at the surrounding comments in the conf file and set both of them to "SSL23":

TLS_PROTOCOL=SSL23
TLS_STARTTLS_PROTOCOL=SSL23
I then reloaded postfix, attempted to connect with my client and, to my dismay, saw this roll up in the mail.log:
Mar 10 13:55:34 lana imapd-ssl: couriertls: connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
This message, while cryptic enough to send me off to scratch my head and pore over comments on OsDir and the Ubuntu fora, was one that I eventually figured out. It turns out that those two TLS protocol directives do not want to be identical.

So I changed the file thus: 

TLS_STARTTLS_PROTOCOL=TLS1
And, once I had reloaded the IMAP daemon and postfix, voila: a clean log-in! 
Mar 10 13:56:52 lana imapd-ssl: Connection, ip=[::ffff:XX.XXX.XXX.XXX]
Mar 10 13:56:52 lana imapd-ssl: LOGIN, user=admin, ip=[::ffff:XX.XXX.XXX.XXX], port=[42130], protocol=IMAP