error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Gammadyne
Hello all, hope someone can help.

I upgraded from 1.0.0d to 1.0.1c and immediately started getting this error:

error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

It occurs during SMTP after successful negotiation.  Oddly, the first command after negotiation works, but not the second.  Here is the complete conversation:

220 mail.gammadyne.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at  Wed, 16 May 2012 23:59:12 -0500
>EHLO gammadyne.com
250-mail.gammadyne.com Hello [64.126.68.153]
250-AUTH=LOGIN
250-AUTH LOGIN
250-TURN
250-SIZE 30720000
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-TLS
250-STARTTLS
250 OK
>STARTTLS
220 2.0.0 SMTP server ready
>SSL negotiated, cipher=DES-CBC3-SHA, bits=168, version=TLSv1/SSLv3
>EHLO gammadyne.com
250-mail.gammadyne.com Hello [64.126.68.153]
250-AUTH=LOGIN
250-AUTH LOGIN
250-TURN
250-SIZE 30720000
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250 OK
>AUTH LOGIN
>SSL read error 1: SSL module internal error
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number


My configuration is as follows:

ctx = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_AUTO_RETRY);
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);


I've tried the following solutions to no avail:
* Upgrading NASM to latest version
* Upgrading Perl to latest version
* Installing all updates on the mail server (Windows 2003/IIS6)
* SSL_OP_ALL, SSL_OP_CIPHER_SERVER_PREFERENCE, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION

Using SSL_OP_NO_TLSv1 does fix the problem, but I don't really want to disable TLS1.

Could it be the cipher?  On 1.0.0d, the negotiated cipher was RC4-MD5

It's a rather odd problem.  Anyone have any ideas?

TIA, Greg Wittmeyer, Gammadyne Corp.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Luke Carpenter
I am getting the same problem (various SSL errors after a successful
negotiation) with an SMTP server I've written in Ruby, and I'm stuck
with it

I've resorted to tracing through the Postfix SSL/TLS code to see how
they handle it, and it looks like they just keep retrying the
operation until its successful (tls_bio_ops.c or something similar)

Good luck, I would love to know if you find a solution

Thanks,
Luke

====

Sent via Nyx

On 18 May 2012, at 00:48, Greg Wittmeyer <[hidden email]> wrote:

> Hello all, hope someone can help.
>
> I upgraded from 1.0.0d to 1.0.1c and immediately started getting this error:
>
> error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
>
> It occurs during SMTP after successful negotiation.  Oddly, the first command after negotiation works, but not the second.  Here is the complete conversation:
>
> 220 mail.gammadyne.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at  Wed, 16 May 2012 23:59:12 -0500
>> EHLO gammadyne.com
> 250-mail.gammadyne.com Hello [64.126.68.153]
> 250-AUTH=LOGIN
> 250-AUTH LOGIN
> 250-TURN
> 250-SIZE 30720000
> 250-ETRN
> 250-PIPELINING
> 250-DSN
> 250-ENHANCEDSTATUSCODES
> 250-8bitmime
> 250-BINARYMIME
> 250-CHUNKING
> 250-VRFY
> 250-TLS
> 250-STARTTLS
> 250 OK
>> STARTTLS
> 220 2.0.0 SMTP server ready
>> SSL negotiated, cipher=DES-CBC3-SHA, bits=168, version=TLSv1/SSLv3
>> EHLO gammadyne.com
> 250-mail.gammadyne.com Hello [64.126.68.153]
> 250-AUTH=LOGIN
> 250-AUTH LOGIN
> 250-TURN
> 250-SIZE 30720000
> 250-ETRN
> 250-PIPELINING
> 250-DSN
> 250-ENHANCEDSTATUSCODES
> 250-8bitmime
> 250-BINARYMIME
> 250-CHUNKING
> 250-VRFY
> 250 OK
>> AUTH LOGIN
>> SSL read error 1: SSL module internal error
> error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
>
>
> My configuration is as follows:
>
> ctx = SSL_CTX_new(SSLv23_client_method());
> SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_AUTO_RETRY);
> SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
>
>
> I've tried the following solutions to no avail:
> * Upgrading NASM to latest version
> * Upgrading Perl to latest version
> * Installing all updates on the mail server (Windows 2003/IIS6)
> * SSL_OP_ALL, SSL_OP_CIPHER_SERVER_PREFERENCE, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
>
> Using SSL_OP_NO_TLSv1 does fix the problem, but I don't really want to disable TLS1.
>
> Could it be the cipher?  On 1.0.0d, the negotiated cipher was RC4-MD5
>
> It's a rather odd problem.  Anyone have any ideas?
>
> TIA, Greg Wittmeyer, Gammadyne Corp.
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Dr. Stephen Henson
In reply to this post by Gammadyne
On Thu, May 17, 2012, Greg Wittmeyer wrote:

> Hello all, hope someone can help.
>
> I upgraded from 1.0.0d to 1.0.1c and immediately started getting this error:
>
> error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
>

It's a known issue. The latest snapshots could fix it, or apply this patch to
1.0.1c:

http://cvs.openssl.org/chngview?cn=22565

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Gammadyne
In reply to this post by Gammadyne
In response to your message on 18-May-2012 5:57:33a

I added the line of code per http://cvs.openssl.org/chngview?cn=22565 but it did not help.  The latest snapshot only mentions one other change, and it is unrelated.  But I tried it anyway, and still no luck.  Exact same error occurs.

Sincerely,

Greg Wittmeyer
mailto:[hidden email]



***** ORIGINAL MESSAGE FOLLOWS *****

On Thu, May 17, 2012, Greg Wittmeyer wrote:

> Hello all, hope someone can help.
>
> I upgraded from 1.0.0d to 1.0.1c and immediately started getting this error:
>
> error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
>

It's a known issue. The latest snapshots could fix it, or apply this patch to
1.0.1c:

http://cvs.openssl.org/chngview?cn=22565

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Gammadyne
In reply to this post by Gammadyne
I just tried 1.0.1f and the problem that I reported in May 2012 is still present.

If you want to try it for yourself, try sending an email over SSL to nobody@cetest.nl

To summarize, after the AUTH LOGIN command is sent, OpenSSL will produce this error:

error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number



Gammadyne wrote
Hello all, hope someone can help.

I upgraded from 1.0.0d to 1.0.1c and immediately started getting this error:

error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

It occurs during SMTP after successful negotiation.  Oddly, the first command after negotiation works, but not the second.  Here is the complete conversation:

220 mail.gammadyne.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at  Wed, 16 May 2012 23:59:12 -0500
>EHLO gammadyne.com
250-mail.gammadyne.com Hello [64.126.68.153]
250-AUTH=LOGIN
250-AUTH LOGIN
250-TURN
250-SIZE 30720000
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-TLS
250-STARTTLS
250 OK
>STARTTLS
220 2.0.0 SMTP server ready
>SSL negotiated, cipher=DES-CBC3-SHA, bits=168, version=TLSv1/SSLv3
>EHLO gammadyne.com
250-mail.gammadyne.com Hello [64.126.68.153]
250-AUTH=LOGIN
250-AUTH LOGIN
250-TURN
250-SIZE 30720000
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250 OK
>AUTH LOGIN
>SSL read error 1: SSL module internal error
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number


My configuration is as follows:

ctx = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_AUTO_RETRY);
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);


I've tried the following solutions to no avail:
* Upgrading NASM to latest version
* Upgrading Perl to latest version
* Installing all updates on the mail server (Windows 2003/IIS6)
* SSL_OP_ALL, SSL_OP_CIPHER_SERVER_PREFERENCE, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION

Using SSL_OP_NO_TLSv1 does fix the problem, but I don't really want to disable TLS1.

Could it be the cipher?  On 1.0.0d, the negotiated cipher was RC4-MD5

It's a rather odd problem.  Anyone have any ideas?

TIA, Greg Wittmeyer, Gammadyne Corp.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Viktor Dukhovni
On Mon, Jan 06, 2014 at 12:31:35PM -0800, Gammadyne wrote:

> I just tried 1.0.1f and the problem that I reported in May 2012 is still
> present.
>
> If you want to try it for yourself, try sending an email over SSL to
> [hidden email]
>
> To summarize, after the AUTH LOGIN command is sent, OpenSSL will produce
> this error:
>
> error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

See recent thread on this list with:

        Subject: Verisign Problem with smtp tls

> > 220 mail.gammadyne.com Microsoft ESMTP MAIL Service, Version:
> > 6.0.3790.4675 ready at  Wed, 16 May 2012 23:59:12 -0500

Microsoft Exchange 2003 server.

> > 220 2.0.0 SMTP server ready
> >>SSL negotiated, cipher=DES-CBC3-SHA, bits=168, version=TLSv1/SSLv3

Broken DES-CBC3-SHA cipher suite.

> >>AUTH LOGIN
> >>SSL read error 1: SSL module internal error
> > error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Mangled SSL record apparently in response to first encrypted command
after EHLO.  As expected.  Work-arounds provided in that thread.

You must ensure that RC4-SHA and/or RC4-MD4 occur among the first
64 cipher suites in the client SSL HELLO message.  By default, with
OpenSSL 1.0.1 there are more than 64 ciphers suites that are stronger
than RC4-SHA.

Perhaps this is becoming an FAQ item.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Gammadyne
Okay, I got it working by calling this right after creating the context:

SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:RC4-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5");

This is the default cipher list for OpenSSL 1.0.1f, with RC4-SHA moved up in the order.  This will avoid the bug in IIS6/Exchange 2003.  Any program that connects to random mail servers should use this method.

I would like to point out that OpenSSL should have a SSL_CTX_get_cipher_list() function so that the cipher list would not need to be hard-coded.  This would future-proof it against new ciphers being added in later updates.

Thank you Viktor for pointing me in the right direction.


Viktor Dukhovni wrote
On Mon, Jan 06, 2014 at 12:31:35PM -0800, Gammadyne wrote:

> I just tried 1.0.1f and the problem that I reported in May 2012 is still
> present.
>
> If you want to try it for yourself, try sending an email over SSL to
> [hidden email]
>
> To summarize, after the AUTH LOGIN command is sent, OpenSSL will produce
> this error:
>
> error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

See recent thread on this list with:

        Subject: Verisign Problem with smtp tls

> > 220 mail.gammadyne.com Microsoft ESMTP MAIL Service, Version:
> > 6.0.3790.4675 ready at  Wed, 16 May 2012 23:59:12 -0500

Microsoft Exchange 2003 server.

> > 220 2.0.0 SMTP server ready
> >>SSL negotiated, cipher=DES-CBC3-SHA, bits=168, version=TLSv1/SSLv3

Broken DES-CBC3-SHA cipher suite.

> >>AUTH LOGIN
> >>SSL read error 1: SSL module internal error
> > error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Mangled SSL record apparently in response to first encrypted command
after EHLO.  As expected.  Work-arounds provided in that thread.

You must ensure that RC4-SHA and/or RC4-MD4 occur among the first
64 cipher suites in the client SSL HELLO message.  By default, with
OpenSSL 1.0.1 there are more than 64 ciphers suites that are stronger
than RC4-SHA.

Perhaps this is becoming an FAQ item.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]