[courier-users] SSL3_GET_RECORD:wrong version number

169 views
Skip to first unread message

Mark Constable

unread,
Jan 3, 2008, 2:45:23 AM1/3/08
to
I think I have adjusted my config files according to some
previous postings but I am still seeing a lot of these
errors... courier-mta 0.58.0, courier-imap 4.3.0

Jan 3 17:39:31 mail courieresmtpd: courieresmtpd:
STARTTLS failed: couriertls: accept: error:1408F10B:
SSL routines:SSL3_GET_RECORD:wrong version number

courierd:TLS_PROTOCOL=TLS1
esmtpd-ssl:TLS_PROTOCOL=SSL23
esmtpd:TLS_PROTOCOL=TLS1
imapd-ssl:TLS_PROTOCOL=SSL23
imapd-ssl:TLS_STARTTLS_PROTOCOL=TLS1
pop3d-ssl:TLS_PROTOCOL=SSL23
pop3d-ssl:TLS_STARTTLS_PROTOCOL=TLS1

Are these settings right or am I missing something else ?

--markc

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
courier-users mailing list
courie...@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Jay Lee

unread,
Jan 3, 2008, 7:00:49 AM1/3/08
to
--===============0304608498==
Content-Type: multipart/alternative;
boundary="----=_Part_20554_11389547.1199361615214"

------=_Part_20554_11389547.1199361615214
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

On 1/3/08, Mark Constable <ma...@renta.net> wrote:
>
> courierd:TLS_PROTOCOL=TLS1
> esmtpd-ssl:TLS_PROTOCOL=SSL23
> esmtpd:TLS_PROTOCOL=TLS1
> imapd-ssl:TLS_PROTOCOL=SSL23
> imapd-ssl:TLS_STARTTLS_PROTOCOL=TLS1
> pop3d-ssl:TLS_PROTOCOL=SSL23
> pop3d-ssl:TLS_STARTTLS_PROTOCOL=TLS1

I had to put SSL23 for ALL of these in order to get the errors to stop.
YMMV and you should of course test this out before using it in production.
The problem is that OpenSSL apparantely does not allow TLS sessions to fall
back to SSL3 which some mail servers/clients use instead of TLS (I think I
got that right). Sam has taken the step of allowing GnuTLS to replace
OpenSSL for SSL/TLS support. GnuTLS is capable of falling back to SSL so it
should also solve these issues for you but again, I would test this before
putting it in production. Last I heard, GnuTLS is significantly slower at
encryption than OpenSSL.

Jay


--
Jay Lee
Network / Systems Administrator
Information Technology Dept.
Philadelphia Biblical University

------=_Part_20554_11389547.1199361615214
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

<br><div><span class="gmail_quote">On 1/3/08, <b class="gmail_sendername">Mark Constable</b> &lt;<a href="mailto:ma...@renta.net">ma...@renta.net</a>&gt; wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
courierd:TLS_PROTOCOL=TLS1<br> esmtpd-ssl:TLS_PROTOCOL=SSL23<br> esmtpd:TLS_PROTOCOL=TLS1<br> imapd-ssl:TLS_PROTOCOL=SSL23<br> imapd-ssl:TLS_STARTTLS_PROTOCOL=TLS1<br> pop3d-ssl:TLS_PROTOCOL=SSL23<br> pop3d-ssl:TLS_STARTTLS_PROTOCOL=TLS1
</blockquote><div><br><br>&nbsp;I had to put SSL23 for ALL of these in order to get the errors to stop.&nbsp; YMMV and you should of course test this out before using it in production.&nbsp; The problem is that OpenSSL apparantely does not allow TLS sessions to fall back to SSL3 which some mail servers/clients use instead of TLS (I think I got that right).&nbsp; Sam has taken the step of allowing GnuTLS to replace OpenSSL for SSL/TLS support.&nbsp; GnuTLS is capable of falling back to SSL so it should also solve these issues for you but again, I would test this before putting it in production.&nbsp; Last I heard, GnuTLS is significantly slower at encryption than OpenSSL.
<br><br>Jay<br></div><br></div><br>-- <br>Jay Lee<br>Network / Systems Administrator<br>Information Technology Dept.<br>Philadelphia Biblical University

------=_Part_20554_11389547.1199361615214--


--===============0304608498==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

--===============0304608498==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
courier-users mailing list
courie...@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

--===============0304608498==--

Mark Constable

unread,
Jan 3, 2008, 8:39:10 AM1/3/08
to
On Thursday 03 January 2008 22:00:15 Jay Lee wrote:
> I had to put SSL23 for ALL of these in order to get the errors to stop.

Great, thanks for the tip.

> YMMV and you should of course test this out before using it in production.

In a perfect world, yes :)

> The problem is that OpenSSL apparantely does not allow TLS sessions to fall
> back to SSL3 which some mail servers/clients use instead of TLS (I think I
> got that right). Sam has taken the step of allowing GnuTLS to replace
> OpenSSL for SSL/TLS support. GnuTLS is capable of falling back to SSL so it
> should also solve these issues for you but again, I would test this before
> putting it in production. Last I heard, GnuTLS is significantly slower at
> encryption than OpenSSL.

I have used the SSL ports 465, 993 and 995 for years but
I still have no idea what, where and how TLS fits into the
picture. In fact I end up in a world of pain everytime I
have anything to do with TLS.

Anyhow, I tried this on a server for the last hour with
zero STARTTLS errors (100 per hour previously) and all
else seems well so, again, thanks for the tip and TLS info.

courierd:TLS_PROTOCOL=SSL23
esmtpd-ssl:TLS_PROTOCOL=SSL23
esmtpd:TLS_PROTOCOL=SSL23
imapd-ssl:TLS_PROTOCOL=SSL23
imapd-ssl:TLS_STARTTLS_PROTOCOL=SSL23
pop3d-ssl:TLS_PROTOCOL=SSL23
pop3d-ssl:TLS_STARTTLS_PROTOCOL=SSL23

--markc

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Alessandro Vesely

unread,
Jan 3, 2008, 1:05:22 PM1/3/08
to
Mark Constable wrote:
> On Thursday 03 January 2008 22:00:15 Jay Lee wrote:
>
>> [...] Last I heard, GnuTLS is significantly slower at
>> encryption than OpenSSL.

I haven't been able to find a recent benchmark, despite the following assertion:
"GnuTLS has been benchmarked against OpenSSL and GnuTLS is significantly faster"
http://www.inspircd.org/wiki/Modules/ssl_gnutls#OpenSSL_vs._GnuTLS

On the opposite, ftp transfer performance has been reported to perform like
openssl:gnutls = 7:1, back in 2005
http://www.mail-archive.com/lftp-...@uniyar.ac.ru/msg01487.html

A comparison of features is in
http://www.gnu.org/software/gnutls/comparison.html

> I have used the SSL ports 465, 993 and 995 for years but
> I still have no idea what, where and how TLS fits into the
> picture.

TLS is the alive encryption standard that SSL was. TLS proposes new features,
such as the Server Name Indication (SNI) extension, that enables "virtual"
secure servers
http://tools.ietf.org/html/rfc4366#section-3.1
(See it at work on a web server at https://sni.velox.ch/ and following links)
Any forecast on when will SNI show up on mail servers?

The port numbers mentioned above are summarized in a short table here:
http://en.wikipedia.org/wiki/E-mail_client#Port_numbers

Reply all
Reply to author
Forward
0 new messages