Hi
I'm using Ubuntu 12.04 (devel version). Today my openssl package got
updated to 1.0.1-2 and I cannot connect to my Exchange 2003 server
through IMAPS to get my emails. I tracked the problem down to openssl
version 1.0.1. I downloaded 1.0.1 and 1.0.0h from openssl.com, compiled
them and tried to connect to the same server with both. Here's what
happens with 1.0.0h:
gimre@ximi:/tmp/openssl-1.0.0h$ ./apps/openssl s_client -debug -connect
hostname:993 -crlf
[...]
---
SSL handshake has read 1052 bytes and written 392 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID:
8A190000C9421EE453CD41C45FF1B9D07D585E15F3A70810A9D7D7A27E67FCAA
Session-ID-ctx:
Master-Key:
7F141DA1409C5E38D76D0B3E541FAA85DD618DC8257EAC244FF641EB01B70ADFBEC7F8100699B5DEDFB2D37A6B178A77
Key-Arg : None
PSK identity: None
PSK identity hint: None
Start Time: 1332515061
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
---
read from 0x1979460 [0x197ea43] (5 bytes => 5 (0x5))
0000 - 17 03 01 00 78 ....x
read from 0x1979460 [0x197ea48] (120 bytes => 120 (0x78))
0000 - f7 64 39 6c ce 00 22 1e-9b 27 4a a8 fd 9f 07 d1
.d9l.."..'J.....
0010 - 43 23 1c 20 3c 95 5a eb-01 d6 ff 5d d3 d9 df e8 C#.
<.Z....]....
0020 - b9 7c 6b 3b dd 25 be 08-0d ec 2b d1 3f 98 9d 89
.|k;.%....+.?...
0030 - cc 90 da c8 07 2c f9 b1-53 87 1f 87 70 ad e7 57
.....,..S...p..W
0040 - 6a cf e8 82 1b b5 b2 8c-c2 6e 12 56 73 5d 87 6a
j........n.Vs].j
0050 - 89 43 42 44 16 7d 60 35-68 63 65 bb 48 69 4c ab
.CBD.}`5hce.HiL.
0060 - 6f 97 c0 d8 55 95 64 00-22 96 6b c0 5b 75 fb 58
o...U.d.".k.[u.X
0070 - 7c 37 84 2c ab 96 63 a3- |7.,..c.
* OK Microsoft Exchange Server 2003 IMAP4rev1 server version 6.5.7638.1
(hostname) ready.
A logout
write to 0x1979460 [0x1982f93] (31 bytes => 31 (0x1F))
[...]
Everything is working as expected. Now if I do the same with 1.0.1:
gimre@ximi:/tmp/openssl-1.0.1$ ./apps/openssl s_client -debug -connect
hostname:993 -crlf
[...]
---
SSL handshake has read 1053 bytes and written 511 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID:
000D0000A682F45EDE5BC66A610CCFFB0E536DE047FDE5F3509AA7469751AA54
Session-ID-ctx:
Master-Key:
51A39E9649AAD532DF24115111268DCE3601FD2883DAA0F3B65C0CCAF2A80CDB010A604DAD8299D3B86888832CBE0847
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1332515141
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
---
read from 0x15fbd30 [0x1601313] (5 bytes => 5 (0x5))
0000 - 17 03 01 00 80 .....
read from 0x15fbd30 [0x1601318] (128 bytes => 128 (0x80))
0000 - e2 a9 72 b6 69 78 75 59-74 92 c0 b9 a2 cf dd 48
..r.ixuYt......H
0010 - 36 39 c1 c9 5a 57 6f ee-da 28 ea b6 e7 f4 4c d7
69..ZWo..(....L.
0020 - 5b b7 89 94 5f 5d 94 2b-f6 e7 1c f5 81 95 8c bd
[..._].+........
0030 - 17 f9 2c 21 04 93 39 0c-9c fc f3 1b 1d e6 b6 6e
..,!..9........n
0040 - 77 c8 49 a9 1f 4b a0 3d-40 74 c1 fd 75 57 93 f0
w.I..K.=@t..uW..
0050 - 71 bc 4d ae ec 72 ca 00-e9 2b 20 9f 4e 97 47 92 q.M..r...+
.N.G.
0060 - 74 1f 17 17 87 ab 95 87-fd ca da 9e 3a 37 4c 7b
t...........:7L{
0070 - 5e 81 3c 7a b0 28 e0 93-ff e6 d1 20 d6 83 85 22 ^.<z.(.....
..."
* OK Microsoft Exchange Server 2003 IMAP4rev1 server version 6.5.7638.1
(hostname) ready.
read from 0x15fbd30 [0x1601313] (5 bytes => 4 (0x4))
0000 - 67 00 40 g.@
0004 - <SPACES/NULS>
Note the extra characters after the prompt. Also note the other
difference in the cipher used (RC4-MD5 vs DES-CBC3-SHA). After this
prompt, no IMAP commands are recognized, it's like the client hangs,
only a Ctrl+C helps.
Now if I specify the cipher to s_client, it works ok with 1.0.1 too:
gimre@ximi:/tmp/openssl-1.0.1$ ./apps/openssl s_client -debug -cipher
RC4-MD5 -connect hostname:993 -crlf
[...]
No client certificate CA names sent
---
SSL handshake has read 1052 bytes and written 234 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID:
70060000427964ED9F2835D87A39FEC16500E27886E4E02C223541038722263D
Session-ID-ctx:
Master-Key:
D7E377AD47030FD5733DC671F2A5CF16DD901DC46437FAD8B9D5B6A48B045BB2764BAF2FC3C78EAE0BA1A2689DA2D358
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1332515392
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
---
read from 0x1845590 [0x184ab73] (5 bytes => 5 (0x5))
0000 - 17 03 01 00 78 ....x
read from 0x1845590 [0x184ab78] (120 bytes => 120 (0x78))
0000 - 16 29 f8 73 25 57 23 ac-93 0e c8 49 40 00 35 bd
.).s%W#....I@.5.
0010 - be 14 5a bd 84 2c 92 88-47 d6 ad 93 8b 98 98 f4
..Z..,..G.......
0020 - 09 5b be aa c8 ac 63 a8-00 32 f1 ab a0 a2 84 e9
.[....c..2......
0030 - 87 5e b4 a5 1e c6 77 d1-f6 dd e3 63 cf 4e 80 b8
.^....w....c.N..
0040 - 39 79 d4 9c 75 64 1e 1f-87 0c a9 18 fe e1 59 74
9y..ud........Yt
0050 - 1a 3e 26 9f d2 13 27 2b-78 7e 2f e7 dc a6 94 33
.>&...'+x~/....3
0060 - cd 1e eb 65 b7 33 f8 28-a9 05 94 4e 71 ef 5a f2
...e.3.(...Nq.Z.
0070 - 48 72 6a 5d a1 3a 09 a1- Hrj].:..
* OK Microsoft Exchange Server 2003 IMAP4rev1 server version 6.5.7638.1
(hostname) ready.
I've tested 1.0.1 with other mailservers (gmail, a courier-imap server)
and they are work without problems. They also use other ciphers.
Is this an openssl problem or an Exchange 2003 configuration problem,
or an incompatibility between the two? I have no access to that Exchange
server to see how it is configured.
I'm using fetchmail to get my email from this server. As a workaround,
can I somehow configure openssl to use this particular cipher (or maybe
an older list of ciphers from 1.0.0h) so that fetchmail will work
without recompiling fetchmail to use another openssl and without
reinstalling the openssl package?
Thanks.
--
Imre Gergely
http://havaz.net
gpg --keyserver subkeys.pgp.net --recv-keys 0x34525305
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
