support for starttls

dtk d.t.k at gmx.de
Thu Apr 7 00:16:23 UTC 2011 

On Thu, Apr 07, 2011 at 01:39:02AM +0200, dtk wrote:
> Hey Sebastian,
>
> On Wed, Apr 06, 2011 at 12:12:05PM +0200, Sebastian Spaeth wrote:
> > On Tue, 05 Apr 2011 23:26:33 +0200, dtk <d.t.k at gmx.de> wrote:
> >
> > >     self._sslobj.do_handshake()
> > > SSLError: [Errno 1] _ssl.c:490: error:1408F10B:SSL
> > > routines:SSL3_GET_RECORD:wrong version number
> >
> > Could it be that the server only supports SSLv2 (which is insecure) or
> > so?
> I can't tell for sure, but I hope not:

Actually, when presented with the protocol options TLS1.1, TLS1.0 and SSL3.0[0],
the server chooses TLS1.0 by default:

[bash]
$ gnutls-cli --starttls --port 143 jade-hamburg.de
Resolving 'jade-hamburg.de'...
Connecting to '85.183.11.228:143'...

- Simple Client Mode:

* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS LOGINDISABLED] Dovecot ready.
5 starttls
5 OK Begin TLS negotiation now.
*** Starting TLS handshake
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1024 bits
 - Secret key: 1023 bits
 - Peer's public key: 1020 bits
- Certificate type: X.509
 - Got a certificate list of 3 certificates.
 - Certificate[0] info:
  - subject `2.5.4.13=#13173332363130362d3853376f755659323733627058396f39,C=DE,O=Persona Not Validated,OU=StartCom Free Certificate Member,CN=www.jade-hamburg.de,EMAIL=webmaster at jade-hamburg.de', issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Class 1 Primary Intermediate Server CA', RSA key 4096 bits, signed using RSA-SHA, activated `2011-01-03 22:33:34 UTC', expires `2012-01-04 15:20:53 UTC', SHA-1 fingerprint `10124e8c8f632c90e8c8a229a1c6dee7a3d38e3f'
 - Certificate[1] info:
  - subject `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority', issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority', RSA key 4096 bits, signed using RSA-SHA, activated `2006-09-17 19:46:36 UTC', expires `2036-09-17 19:46:36 UTC', SHA-1 fingerprint `3e2bf7f2031b96f38ce6c4d8a85d3e2d58476a0f'
 - Certificate[2] info:
  - subject `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Class 1 Primary Intermediate Server CA', issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority', RSA key 2048 bits, signed using RSA-SHA, activated `2007-10-24 20:54:17 UTC', expires `2017-10-24 20:54:17 UTC', SHA-1 fingerprint `f691fc87efb3135354225a10e127e911d1c7f8cf'
- The hostname in the certificate matches 'jade-hamburg.de'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
5 logout
* BYE Logging out
5 OK Logout completed.
- Peer has closed the GNUTLS connection
$
[/bash]


I may force it use SSL3.0 (by pretending I don't speak anything else), which
works just as nicely:

[bash]
$ gnutls-cli --starttls --priority NONE:+VERS-SSL3.0:+AES-128-CBC:+RSA:+SHA1:+COMP-NULL --port 143 jade-hamburg.de
Resolving 'jade-hamburg.de'...
Connecting to '85.183.11.228:143'...

- Simple Client Mode:

* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS LOGINDISABLED] Dovecot ready.
5 starttls
5 OK Begin TLS negotiation now.
*** Starting TLS handshake
- Certificate type: X.509
 - Got a certificate list of 3 certificates.
 - Certificate[0] info:
  - subject `2.5.4.13=#13173332363130362d3853376f755659323733627058396f39,C=DE,O=Persona Not Validated,OU=StartCom Free Certificate Member,CN=www.jade-hamburg.de,EMAIL=webmaster at jade-hamburg.de', issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Class 1 Primary Intermediate Server CA', RSA key 4096 bits, signed using RSA-SHA, activated `2011-01-03 22:33:34 UTC', expires `2012-01-04 15:20:53 UTC', SHA-1 fingerprint `10124e8c8f632c90e8c8a229a1c6dee7a3d38e3f'
 - Certificate[1] info:
  - subject `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority', issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority', RSA key 4096 bits, signed using RSA-SHA, activated `2006-09-17 19:46:36 UTC', expires `2036-09-17 19:46:36 UTC', SHA-1 fingerprint `3e2bf7f2031b96f38ce6c4d8a85d3e2d58476a0f'
 - Certificate[2] info:
  - subject `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Class 1 Primary Intermediate Server CA', issuer `C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority', RSA key 2048 bits, signed using RSA-SHA, activated `2007-10-24 20:54:17 UTC', expires `2017-10-24 20:54:17 UTC', SHA-1 fingerprint `f691fc87efb3135354225a10e127e911d1c7f8cf'
- The hostname in the certificate matches 'jade-hamburg.de'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: SSL3.0
- Key Exchange: RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
5 logout
* BYE Logging out
5 OK Logout completed.
- Peer has closed the GNUTLS connection
[/bash]


Cannot test the server's reaction to SSL2.0 since my system doesn't support it,
but it seems obvious to me, that it's _at_least_ not the only protocol the
server speaks.

Yours
dtk


__________
[0]from $ man gnutls-cli: "--priority PRIORITY STRING
                                  TLS  algorithms and protocols to enable.  Unless the first keyword is "NONE" the defaults are:

                                  Protocols: TLS1.1, TLS1.0, and SSL3.0"

More information about the OfflineIMAP-project mailing list