UW-IMAP and TLS problem
news.grnet.gr
I have been using uw-imap with SSL (port 993) for a while with absolutely no
problem at all, however I am facing problem when trying to use TLS (port
143). I get the following error (client: Thunderbird 1.5):
May 7 19:08:28 srv imapd[3951]: SSL error status: error:1408F10B:SSL
routines:SSL3_GET_RECORD:wrong version number
Any help would be appreciated.
Mark Crispin
> I have been using uw-imap with SSL (port 993) for a while with absolutely no
> problem at all, however I am facing problem when trying to use TLS (port
> 143). I get the following error (client: Thunderbird 1.5):
> May 7 19:08:28 srv imapd[3951]: SSL error status: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
This indicates a bug in the client. It is trying to negotiate TLS using
the SSLv23 client method instead of the correct TLSv1 client method.
Are you certain that Thunderbird was built correctly on your system? Did
you apply any third party patches to Thunderbird? As far as I know,
Thunderbird works here at UW, and it's difficult to believe that they
would make that type of blunder.
-- Mark --
http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.
news.grnet.gr
> you apply any third party patches to Thunderbird? As far as I know,
> Thunderbird works here at UW, and it's difficult to believe that they
> would make that type of blunder.
I agree. Yet, this is the latest stable Windows version downloaded from
www.mozilla.com. Could you recommend a client I should test UW with, that
could be more likely to work?
Mark Crispin
news.grnet.gr
>
Mark Crispin
> Thanks, and anyone running under Windows?
PC-Pine
news.grnet.gr
Thank you. I have also tried YAMC which is supposed to be TLS compliant.
However I get the same errors. I think it's unlikely that it also has
problems/bugs. Here is what I get by telnetting 143:
* OK [CAPABILITY IMAP4REV1 LITERAL+ SASL-IR LOGIN-REFERRALS STARTTLS
LOGINDISABLED] localhost.localdomain IMAP4rev1 2004.357 at Sun, 7 May 2006
23:34:43 +0300 (EEST)
Could you suggest a 'manual' way to verify it was compiled properly?
One more thing: I was wondering if it could be an xinetd issue. Does
TLS+IMAP need a special configuration in xinetd? I have used the following:
# default: on
# description: The imap server answers imap requests.
service imap
{
socket_type = stream
wait = no
user = root
server = /usr/local/uw-imap/imapd
disable = no
}
Mark Crispin
> However I get the same errors. I think it's unlikely that it also has
> problems/bugs.
I have never heard of YAMC. I have no way of knowing whether or not it is
compliant. Compliance is not a democracy; it is not determined any vote
or count of clients.
The OpenSSL error message from UW imapd that you reported is exactly what
happens when a client negotiates the SSLv23 client method to a server
using the TLSv1 server method. The SSLv23 client method is correct for
SSL (port 993) IMAP sessions. It is not correct for TLS (port 143 +
STARTTLS command) sessions.
It is possible that a lazy client programmer falsely assumed that TLS is
just another name for SSL, and used the SSLv23 client method for TLS. In
fact, it is not only possible, it has happened. It is the single most
common mistake for an inexperienced client implementor to make in
implementing TLS.
If you give me the name of the system, I can test it from here and see if
it negotiates TLS correctly.
It is not possible to test SSL or TLS usefully via TELNET. TELNET only
verifies that [x]inetd is properly listening to the port and launching
imapd.
> Could you suggest a 'manual' way to verify it was compiled properly?
Pine.
PC Pine.
> One more thing: I was wondering if it could be an xinetd issue. Does
> TLS+IMAP need a special configuration in xinetd?
Generally, no.
-- Mark --
http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.