tls: unsupported SSLv2 handshake received
671 views
Skip to first unread message
Prabhash Rathore
Sep 17, 2019, 4:13:58 AM9/17/19
to golang-nuts
Hello,
We run one of the large volume MTA (Mail Transfer Agent) servers which is responsible for receiving emails from internet. This SMTP server is implemented in Golang.
We notice around 2% of TLS connections (clients use Starttls to upgrade plain connection to TLS) fail with following error:
tls: unsupported SSLv2 handshake received
Grepping through Golang crypto code, it seems this error is thrown here: https://github.com/golang/go/blob/a8c2e5c6adc0d8f9b976a55bf4e22fcf5770ea55/src/crypto/tls/conn.go#L610
Looking at comment, it seems Golang does not support SSLv2 and SSLV3.
I am reaching out to see if there is anyway possible to add support for older SSL versions or if there are any workarounds. In SMTP world, there are lots of clients who still use old SSL builds and we would like to be able to support them on our MTA servers.
Our Environment Details:
Golang: 1.12.9
OS: RHEL Server 7.6,
Kernel: 3.10
Appreciate any help/pointers.
Thanks!
Prabhash Rathore
Ian Lance Taylor
Sep 17, 2019, 4:51:56 PM9/17/19
to Prabhash Rathore, Filippo Valsorda, golang-nuts
[ +filippo ]
> --
> You received this message because you are subscribed to the Google Groups "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/3acb5184-acc1-405b-adc6-3536b4e6f121%40googlegroups.com.
> You received this message because you are subscribed to the Google Groups "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/3acb5184-acc1-405b-adc6-3536b4e6f121%40googlegroups.com.
Anthony Martin
Sep 18, 2019, 4:42:08 AM9/18/19
to Prabhash Rathore, golang-nuts
Prabhash Rathore <prabhas...@gmail.com> once said:
> Looking at comment, it seems Golang does not support SSLv2 and SSLV3.
The crypto/tls package can support SSLv3 if you set tls.Config.MinVersion
> Looking at comment, it seems Golang does not support SSLv2 and SSLV3.
to tls.VersionSSL30, but only as a server.
> I am reaching out to see if there is anyway possible to add support for
> older SSL versions or if there are any workarounds. In SMTP world, there
> are lots of clients who still use old SSL builds and we would like to be
> able to support them on our MTA servers.
old discussion about this at https://github.com/golang/go/issues/3930
that you might want to check out.
Cheers,
Anthony
Andy Balholm
Sep 18, 2019, 11:35:23 AM9/18/19
to Anthony Martin, Prabhash Rathore, golang-nuts
As I understand it, the issue isn’t actually about SSLv2 itself. It’s that clients that support SSLv2 use an old handshake format. In that handshake, they can advertise support for SSLv3 and maybe even TLS 1. So if crypto/tls added support for the handshake but not the rest of SSLv2, they could successfully negotiate an SSLv3 connection.
Of course, now that SSLv3 is deprecated, it’s not very likely that support for these old handshakes will be added.
Andy
Of course, now that SSLv3 is deprecated, it’s not very likely that support for these old handshakes will be added.
Andy
> --
> You received this message because you are subscribed to the Google Groups "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/20190918084123.GA4577%40alice.
> You received this message because you are subscribed to the Google Groups "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages