> From: owner-openssl-us...@openssl.org On Behalf Of ckyh43 > Sent: Thursday, 20 September, 2012 04:50
> I am unable to connect to the Gmail IMAP server with the > OpenSSL s_client. <snip> Debug output (from the second command): > http://pastebin.com/raw.php?i=BJumtDHV > (sent ClientHello see below, received readcnt=0=TCPclose) > Initially I had thought that some kind of firewall in my > network was interfering > with my connection, but a local install of OpenSSL version > 0.9.8l connects fine > without any problems. But every release after 0.9.8l fails to > connect. So I'm > suspecting that the problem is caused by something which > changed between 0.9.8l > and 0.9.8m-beta1. > According to CHANGES, 0.9.8m implemented RFC5746 renegotiation and fixed RFC4507 ticket though not clear if in client. A server could conceivably dislike either of these, or TLS>v1.0 see next, but if so it should negotiate or alert not close. Your posted ClientHello doesn't jibe with 0.9.8anything. First it is version 0301 (TLSv1.0) but states desiredversion 0302 (TLSv1.1) whereas I believe TLSv1.1 wasn't implemented until 1.0.1*, and most if not all 0.9.8* sent ClientHello in SSLv2 format (allowing upnegotiation to SSLv3 or TLSv1.0). Then it offers some ECC suites (maybe all, didn't check each) whereas 0.9.8* disabled all ECC suites by default (unless you did -cipher including ECCdraft without showing or mentioning it). And it includes extension 00 0F heartbeat, which I believe is only in 1.0.1*. Are you sure your 0.9.8m-beta1 is really that and not 1.0.1*? And I would certainly suggest using accepted 0.9.8m, or later, instead of any beta, just on general principles. OTOH I am able to connect to imap.gmail.com 993 with OpenSSL 1.0.1c, which successfully does TLSv1.2 and ECDHE-RSA-RC4, so apparently the server likes all of these. DNS here does give me two addresses: 173.194.76.108 and .109. If they are handing out different addresses to different parts of DNS, and these addresses are not in fact the same server, maybe you got a different server than I did. Actually even if you got the same address(es) but they are distributing it(them) over multiple machines you might have got a different machine, although I got consistent results for several attempts which suggests that if there are multiple machines they all work. With 1.0.1c -no_tls1_2 I get almost the same ClientHello as you, and it succeeds but with TLSv1.1 (as should be expected). ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
