[Pkg-openssl-devel] OpenSSL bug? (error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number)

[Kurt Roeckx]

On Sat, Feb 23, 2013 at 02:11:15AM +0100, W. Martin Borgert wrote:
> On 2013-02-22 22:05, Kurt Roeckx wrote:
> > On Fri, Feb 22, 2013 at 09:39:49PM +0100, W. Martin Borgert wrote:
> > > I have a problem with wheezy, but not with squeeze.
> > > I assume, it is an OpenSSL issue, but I'm not sure.
> > [...]
> > > ssl.SSLError: [Errno 1] _ssl.c:1359: error:1408F10B:SSL
> > > routines:SSL3_GET_RECORD:wrong version number
> >
> > Can you reproduce this with "openssl s_client"?
> >
> > Can you try the "-no_tls1_2" and "-no_tls1_1" options?
> >
> > This is most likely a bug in the software you're trying to
> > talk too, not in openssl.
> 
> This is for sure, as it identifies itself as "Microsoft Exchange
> Server 2003 IMAP4rev1-Server, Version 6.5.7638.1" :~) Anyway, I
> need to retrieve emails from this thing.
> 
> On squeeze (openssl 0.9.8o-4squeeze14), the command
> 
> openssl s_client -connect 192.168.1.1:993
> 
> seems to work, i.e. the IMAP server seems to wait for commands
> (EHLO or whatever) after telling me it is MS Exchange.
> 
> On wheezy (openssl 1.0.1c-4), the same command terminates with
> 
> 140159863764648:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:340:
> 
> after printing the MS Exchange stuff above.
> 
> However, when I add either -no_tls1_1 or -no_tls1_2 or both on
> wheezy, it works. I would need the equivalent of these options
> inside the Python IMAP4_SSL class, but there is nothing.
> 
> I wonder, whether this is related to #680137? I did not yet try
> the patch in that bug report, however.

There are many such issues.

Anyway, you need modify the IMAP4_SSL class so that it can do
SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2)

I don't want to change library defaults to disable newer
TLS versions because there is broken software out there.  Else
we're never going to move to those newer protocols.


Kurt