hi!

I have debian testing with libssl0.9.8e and updated courier to 0.56 (from unstable) after problems occured with 0.53-6.

courier-auth 0.59.3-2 courier-auth 0.59.3-2 courier-auth 0.59.3-2 courier-base 0.56.0-2 courier-imap 4.1.3-2 courier-imap 4.1.3-2 courier-mta 0.56.0-2 courier-mta- 0.56.0-2 courier-ssl 0.56.0-2

I have the same SSL-problems as described here:

http://www.mail-archive.com/courier-users@...@

I do NOT have those problems on a machine running

courier-auth 0.59.3-1 courier-auth 0.59.3-1 courier-auth 0.59.3-1 courier-auth 0.47-13 courier-base 0.53.3-5 courier-imap 4.1.1.20060 courier-imap 4.1.1.20060 courier-mail 0.53.3-5 courier-mlm 0.53.3-5 courier-mta 0.53.3-5 courier-mta- 0.53.3-5 courier-ssl 0.53.3-5

(Of course it might be a configuration problem after all but I doubt that.)

Randall wrote:

...

I can confirm that SSL23 doesn't work on my system, only SSL2 does, at least with some clients. The problem seems to be a handshaking / SSL-hello problem which affects STARTTLS-connections also.

I got the "wrong version number" under various circumstances, e.g. when Thunderbird (IceDove 1.5.0.12) tries to connect to imapd-ssl on port 993. (That had worked perfectly until the update.)

Well, I had to get access to my mails, so I made thunderbird use imap (143) with STARTTLS which works fine.

If I use the following settings in imapd-ssl:

IMAPDSSLSTART=NO IMAPDSTARTTLS=YES IMAP_TLS_REQUIRED=1 TLS_PROTOCOL=SSL3 TLS_STARTTLS_PROTOCOL=TLS1

I can connect with TB but connect with openssl only with TLS1 forced: openssl s_client -starttls imap -tls1 -connect host:143

while openssl s_client -starttls imap -connect host:143 prints: CONNECTED(00000003) write:errno=104

and on the server: imapd: couriertls: connect: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

If I force ssl3 I get:

3914:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1053:SSL alert number 40 3914:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530:

imapd: couriertls: connect: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number

openssl s_client doesn't seem to have a chance to find out it should use TLS1 after STARTTLS. Doh!

So I tried out different settings for TLS_STARTTLS_PROTOCOL:

- SSL2 works without forcing anything. - SSL23 works only if -tls1 is forced! (why?) - SSL3 works without forcing. - TLS1 works if forced (as said).

I tried openssl s_client -connect host:993 with:

IMAPDSSLSTART=YES IMAPDSTARTTLS=YES IMAP_TLS_REQUIRED=1 TLS_STARTTLS_PROTOCOL=TLS1

and different settings for TLS_PROTOCOL: - SSL2 works - SSL23 works only if -tls1 is forced - SSL3 works only if forced.

What is wrong here?

To make Thunderbird connect to port 993 again I set IMAPDSSLSTART=YES IMAPDSTARTTLS=NO IMAP_TLS_REQUIRED=0

Results for different TLS_PROTOCOL settings: - SSL2 would work, but I forbid TB to use SSL2 - SSL23, SSL3, TLS1: can't connect, imapd-ssl: couriertls: accept: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

After all it seems to me that either courier behaves more strictly during handshaking and some clients cannot cope with that or handshaking is broken in courier. (Which I believe.)

ssldump usually reports "sslv2 compatible client hello" when things go wrong. Then either the server just resets the connection or a handshake failure occurs.

I am happy with IMAP and STARTTLS, but there are also problems with STARTTLS in esmtpd which might have to do with this.

Sounds a bit like SSL3 is to strict and SSL23 is misinterpreted as TLS1. (maybe a missing 'break'?)

Any ideas?

n.