SSL3 Connect/Read Error #308

Closed
glitch1337 opened this Issue Oct 5, 2013 · 13 comments

Projects

None yet

2 participants

@glitch1337

Failing to connect to an Exchange IMAP server which is using SSL3.

At handshake the following kicks off:

[Error: 140562302744384:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:../deps/openssl/openssl/ssl/s23_clnt.c:766:
] source: 'socket'

This is worked around by requiring http and setting the secureProtocol at the beginning of the application:

var https = require('https');
https.globalAgent.options.secureProtocol = 'SSLv3_method';

However once past this, the following crops up.

{ [Error: 139804791691072:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:../deps/openssl/openssl/ssl/s3_pkt.c:337:
] source: 'socket' }
@mscdex
Owner
mscdex commented Oct 5, 2013

http/https is not used in node-imap, so I'm not sure why that would change anything...

You can pass tls options via the tlsOptions setting passed to the node-imap Connection constructor:

var Imap = require('imap');

var imap = new Imap({
  // .....
  tls: true,
  tlsOptions: {
    secureProtocol: 'SSLv3_method'
  }
});

// .....
@glitch1337

Already tried that, which is why I ended up with the require and tlsOptions didn't help.

@mscdex
Owner
mscdex commented Oct 5, 2013

Are you sure that you're connecting to the right port? What happens if you try to connect to the port with netcat or telnet for example?

@glitch1337

Connecting using all the same info via any other means is just fine. This IMAP lib just doesn't want to know. Now in the throws of putting together something semi-workable, but not ideal with PHP to meet a deadline for show and tell for Monday.

FYI, using this lib, the connection details are;

// In here for extra gravy
var https = require('https');
https.globalAgent.options.secureProtocol = 'SSLv3_method';

var imap = new Imap({
    user: 'XXX',
    password: 'XXX',
    host: 'MAIL_SERVER_ADDIE',
    port: 143,
    tls: true,
    tlsOptions: { rejectUnauthorized: false, secureProtocol: 'SSLv3_method' }
});

Have mentioned that I can get past the handshake, it just doesn't like reading messages. Apologies if I sound "snippy" as not my intention.

@mscdex
Owner
mscdex commented Oct 5, 2013

Port 143 is for unencrypted IMAP connections. I think you want port 993 instead?

@glitch1337

Frustratingly 143 SSL3 works like a charm with PHP IMAP. And yes, you are absolutely right about that port 143 is for unencrypted connections. Sadly there is an bozo "managing" the the network I need to connect to and amongst many things he's an utter retard about, he refuses to open ports other than those he deems are not "security risk". And boy do I have arguments over his "idea" of security being the total opposite of what security really is.

Anyway, thanks for the help here. Much appreciated.

@mscdex
Owner
mscdex commented Oct 5, 2013

I'm wondering if STARTTLS is being used in PHP's IMAP implementation. What if you try this config?:

{
  // ....
  port: 143,
  autotls: 'always',
  tlsOptions: { rejectUnauthorized: false, secureProtocol: 'SSLv3_method' }
}
@glitch1337

Thanks for the heads up. Sadly it still complains SSL3_GET_RECORD:wrong version number with auto tls.

@mscdex
Owner
mscdex commented Oct 6, 2013

It looks like you're not alone here.

Some additional things you might try (using the same autotls setup as before), based on what I've read thus far:

  • set tlsOptions: { rejectUnauthorized: false, secureProtocol: 'SSLv3_method', ciphers: 'AES128-SHA:AES256-SHA:RC4-MD5:RC4-SHA' }
  • set tlsOptions: { rejectUnauthorized: false, secureProtocol: 'TLSv1_method' }
  • temporarily try node master branch to see if anything tls-related changed since node v0.10
@glitch1337

Thanks for that.

Just tried the first 2 to no avail. Can't do a thing with the third option for the moment as it's running on a stable system. Will have a whack at pushing a new VM to the client with node master tomorrow when people return to work.

Nice researching by the way. Somewhat pleased I'm not losing it completely!

@mscdex
Owner
mscdex commented Oct 6, 2013

Out of curiosity, what does your PHP imap_open() look like that works for you?

EDIT: also, can you post the debug output when using the autotls option and not tls: true? (set debug: console.log in the config object)

@mscdex
Owner
mscdex commented Oct 6, 2013

Something else that might be helpful is comparing the results of the wireshark output when connecting via PHP and then via node-imap. That should provide a lot of useful information.

@mscdex
Owner
mscdex commented Dec 28, 2013

Any luck comparing wireshark output for PHP vs node-imap?

@mscdex mscdex closed this May 1, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment