[courier-users] SSL3_GET_RECORD:wrong version number with iPhone

8 views
Skip to first unread message

David E. Wheeler

unread,
Mar 30, 2008, 5:40:41 PM3/30/08
to
Howdy,

I just finished building a new courier-imap server on Ubuntu 7.10
"Gutsy Gibbon" using the packages installed via apt-get. It's working
great with my own self-signed certificate with TLS on port 143. Great,
that is, except for my iPhone. The iPhone complains:

Cannot Get Mail
Operation could not be completed (NSStreamSocketSSLErrorDomain
error -9844.)

Tailing the log on the server, I see the dreaded:

Mar 30 14:20:51 crocker imapd: Connection, ip=[::ffff:24.21.175.208]
Mar 30 14:20:51 crocker imapd: couriertls: accept: error:1408F10B:SSL
routines:SSL3_GET_RECORD:wrong version number
Mar 30 14:20:51 crocker imapd: Disconnected, ip=[::ffff:
24.21.175.208], time=0, starttls=1

I tried tweaking both TLS_PROTOCOL and TLS_STARTTLS_PROTOCOL, setting
them each to various things (SSL23, SSL2, TLS1), and while Mail.app on
Leopard continues to work fine for most settings, it never does work
on the iPhone.

The installed packages are:

courier-imap 4.1.3-2ubuntu2 Courier Mail Server - IMAP server
courier-imap-ssl 4.1.3-2ubuntu2 Courier Mail Server - IMAP over
SSL

I get the same issue, BTW, when I try the openssl client:

% openssl s_client -starttls imap -connect localhost:143
CONNECTED(00000003)
write:errno=104

The log for this says:

Mar 30 14:28:43 crocker imapd: Connection, ip=[::ffff:127.0.0.1]
Mar 30 14:28:43 crocker imapd: couriertls: connect: error:1408F10B:SSL
routines:SSL3_GET_RECORD:wrong version number
Mar 30 14:28:43 crocker imapd: Disconnected, ip=[::ffff:127.0.0.1],
time=0, starttls=1

Might there be something I've missed in the configuration, or might
there be a bug in the Ubuntu builds of courier-imap?

Any advice or assistance would be much appreciated.

Best,

David

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
courier-users mailing list
courie...@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Sam Varshavchik

unread,
Mar 30, 2008, 5:52:25 PM3/30/08
to
This is a MIME GnuPG-signed message. If you see this text, it means that
your E-mail or Usenet software does not support MIME signed messages.
The Internet standard for MIME PGP messages, RFC 2015, was published in 1996.
To open this message correctly you will need to install E-mail or Usenet
software that supports modern Internet standards.

--===============0191902455==
Content-Type: multipart/signed;
boundary="=_mimegpg-commodore.email-scan.com-10980-1206913931-0003";
micalg=pgp-sha1; protocol="application/pgp-signature"

This is a MIME GnuPG-signed message. If you see this text, it means that
your E-mail or Usenet software does not support MIME signed messages.
The Internet standard for MIME PGP messages, RFC 2015, was published in 1996.
To open this message correctly you will need to install E-mail or Usenet
software that supports modern Internet standards.

--=_mimegpg-commodore.email-scan.com-10980-1206913931-0003
Content-Type: text/plain; format=flowed; charset="US-ASCII"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

David E. Wheeler writes:

> I tried tweaking both TLS_PROTOCOL and TLS_STARTTLS_PROTOCOL, setting
> them each to various things (SSL23, SSL2, TLS1), and while Mail.app on
> Leopard continues to work fine for most settings, it never does work
> on the iPhone.
>
> The installed packages are:
>
> courier-imap 4.1.3-2ubuntu2 Courier Mail Server - IMAP server
> courier-imap-ssl 4.1.3-2ubuntu2 Courier Mail Server - IMAP over
> SSL

Upgrade to 4.3.1, whose default SSL configuration is more tolerant.

--=_mimegpg-commodore.email-scan.com-10980-1206913931-0003
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQBH8AuLx9p3GYHlUOIRArPCAJ4qotj5AwL3edxMUPLyLHcrnY2DIwCfSW8I
UC0mK0wn+d0uz5wC8HhpEZI=
=1v4n
-----END PGP SIGNATURE-----

--=_mimegpg-commodore.email-scan.com-10980-1206913931-0003--


--===============0191902455==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

--===============0191902455==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
courier-users mailing list
courie...@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

--===============0191902455==--

David E.Wheeler

unread,
Mar 30, 2008, 6:44:41 PM3/30/08
to
On Mar 30, 2008, at 14:52, Sam Varshavchik wrote:

>> courier-imap 4.1.3-2ubuntu2 Courier Mail Server - IMAP server
>> courier-imap-ssl 4.1.3-2ubuntu2 Courier Mail Server - IMAP
>> over SSL
>
> Upgrade to 4.3.1, whose default SSL configuration is more tolerant.

Bah! Looks like hardy will have 4.3.0. :-( I'll have to ask around
among ubuntu-ers as to whether 4.3.1 will be rolled in before release
of hardy next month.

In the meantime, is there nothing I can do with 4.1.3 to get it to be
more tolerant?

Thanks,

David

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace

Martin Schuster (IFKL IT OS DSM CD)

unread,
Mar 31, 2008, 1:49:52 AM3/31/08
to
David E.Wheeler wrote:
> In the meantime, is there nothing I can do with 4.1.3 to get it to be
> more tolerant?
>
Don't know if this applies to your problem, but I got SSL working for 0.56.0
by adding a line to tcpd/libcouriertls.c:

--- tcpd/libcouriertls.c 2007/05/27 21:54:08 1.20
+++ tcpd/libcouriertls.c 2007/06/30 03:24:11 1.21
@@ -419,6 +419,7 @@
ctx=SSL_CTX_new(protocol && strcmp(protocol, "SSL2") == 0
? SSLv2_method():
protocol && strcmp(protocol, "SSL3") == 0 ? SSLv3_method():
+ protocol && strcmp(protocol, "SSL23") == 0 ? SSLv23_method():
TLSv1_method());

if (!ctx)

(you have to "apt-get source courier-imap", apply the patch and recompile --
ask google how to rebuild packages with Debian if you need instructions :)

hth,
--
Martin Schuster
Infineon Technologies IT-Services GmbH
Tel: +43 5 1777 3517
<Martin.S...@infineon.com>

Lakeside B05
9020 Klagenfurt, Austria

FB: LG Klagenfurt, FN 246787y

VISIT US AT http://www.infineon.com/austria

David E. Wheeler

unread,
Mar 31, 2008, 1:05:53 PM3/31/08
to
On Mar 30, 2008, at 22:49, Martin Schuster (IFKL IT OS DSM CD) wrote:

> protocol && strcmp(protocol, "SSL3") == 0 ?
> SSLv3_method():
> + protocol && strcmp(protocol, "SSL23") == 0 ?
> SSLv23_method():
> TLSv1_method());
>
> if (!ctx)
>
> (you have to "apt-get source courier-imap", apply the patch and
> recompile --
> ask google how to rebuild packages with Debian if you need
> instructions :)

Looks like that patch is already in 4.1.3-2ubuntu2, which was
downloaded to courier-0.56.0.

:-(

Thanks,

David

Sérgio

unread,
May 24, 2008, 8:44:11 PM5/24/08
to
On Mar 31, 6:05 pm, da...@kineticode.com ("David E. Wheeler") wrote:
> On Mar 30, 2008, at 22:49, Martin Schuster (IFKL IT OS DSM CD) wrote:
>
> > protocol && strcmp(protocol, "SSL3") == 0 ?
> > SSLv3_method():
> > + protocol && strcmp(protocol, "SSL23") == 0 ?
> > SSLv23_method():
> > TLSv1_method());
>
> > if (!ctx)
>
> > (you have to "apt-get source courier-imap", apply the patch and
> > recompile --
> > ask google how to rebuild packages with Debian if you need
> > instructions :)
>
> Looks like that patch is already in 4.1.3-2ubuntu2, which was
> downloaded to courier-0.56.0.
>
> :-(
>
> Thanks,
>
> David


In /usr/lib/courier/etc, I modified imapd-ssl, esmtpd-ssl, courierd:
TLS_PROTOCOL=SSL23
After a restart, I was able to send mails and read them with

Reply all
Reply to author
Forward
0 new messages