[Pkg-openssl-devel] OpenSSL bug? (error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number)
Kurt Roeckx
kurt at roeckx.be
Sat Feb 23 11:17:35 UTC 2013
On Sat, Feb 23, 2013 at 02:11:15AM +0100, W. Martin Borgert wrote:
> On 2013-02-22 22:05, Kurt Roeckx wrote:
> > On Fri, Feb 22, 2013 at 09:39:49PM +0100, W. Martin Borgert wrote:
> > > I have a problem with wheezy, but not with squeeze.
> > > I assume, it is an OpenSSL issue, but I'm not sure.
> > [...]
> > > ssl.SSLError: [Errno 1] _ssl.c:1359: error:1408F10B:SSL
> > > routines:SSL3_GET_RECORD:wrong version number
> >
> > Can you reproduce this with "openssl s_client"?
> >
> > Can you try the "-no_tls1_2" and "-no_tls1_1" options?
> >
> > This is most likely a bug in the software you're trying to
> > talk too, not in openssl.
>
> This is for sure, as it identifies itself as "Microsoft Exchange
> Server 2003 IMAP4rev1-Server, Version 6.5.7638.1" :~) Anyway, I
> need to retrieve emails from this thing.
>
> On squeeze (openssl 0.9.8o-4squeeze14), the command
>
> openssl s_client -connect 192.168.1.1:993
>
> seems to work, i.e. the IMAP server seems to wait for commands
> (EHLO or whatever) after telling me it is MS Exchange.
>
> On wheezy (openssl 1.0.1c-4), the same command terminates with
>
> 140159863764648:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:340:
>
> after printing the MS Exchange stuff above.
>
> However, when I add either -no_tls1_1 or -no_tls1_2 or both on
> wheezy, it works. I would need the equivalent of these options
> inside the Python IMAP4_SSL class, but there is nothing.
>
> I wonder, whether this is related to #680137? I did not yet try
> the patch in that bug report, however.
There are many such issues.
Anyway, you need modify the IMAP4_SSL class so that it can do
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2)
I don't want to change library defaults to disable newer
TLS versions because there is broken software out there. Else
we're never going to move to those newer protocols.
Kurt
More information about the Pkg-openssl-devel
mailing list