On 2021-03-14 at 11:24 PM, Ian A. White <raj.the...@gmail.com> wrote:
> My web / e-mail host is also trying to blame things on the version of TLS > and are saying they will not support versions earlier than 1.2. How do I > find out the version of TLS that The Bat uses? From another thread, I think you are trying to access mail.wai.com.au and c4s4-4e-syd.hosting-services.net.au. Your mail server is using newish TLS features (SNI) to make mail.wai.com.au work over TLS. I would try connecting to it at mail.wai.com.au using (a trial of?) the current version of The Bat! or with another client like Thunderbird. It should work using that address. The Bat! v8.5 is the first version that supports TLS 1.2. (Changelog: https://www.ritlabs.com/en/products/thebat/revision-history/7136/) The first version of The Bat! to support SNI was v8.4. (Changelog: https://www.ritlabs.com/en/products/thebat/revision-history/7121/) TLS jargon and technical details below. > TLS handshake failure. The server host name ("****.***.***.**") does > not match the certificate. In the DNS system, mail.wai.com.au is a CNAME for wai.com.au. wai.com.au has an A record (A for address) for the IP address 103.9.171.57. c4s4-4e-syd.hosting-services.net.au also has an A record for the IP address 103.9.171.57. When I establish a TLS connection to the server at 103.9.171.57 and use the TLS Server Name Indication (SNI) extension to tell it which host name I am trying to connect to, I get back a certificate that is valid for mail.wai.com.au, among other domains. (The full certificate I get is below.) Notice that mail.wai.com.au is one of the Subject Alternative Names. The SNI extension must be used: otherwise the server returns a generic certificate for c4s4-4e-syd.hosting-services.net.au which does not match mail.wai.com.au. I used the openssl tool to connect to this server and extract it's public certificate: openssl s_client -connect 'mail.wai.com.au:995' -showcerts -verify_hostname mail.wai.com.au -servername mail.wai.com.au The decoded certificate it returns is below. NB: None of this information is private, confidential, or sensitive. It's all needed to make encrypted connections between machines work. Certificate: Data: Version: 3 (0x2) Serial Number: f9:46:a3:9d:b7:cc:47:fc:92:c0:3b:e6:f2:77:3c:2d Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority Validity Not Before: Mar 11 00:00:00 2021 GMT Not After : Jun 9 23:59:59 2021 GMT Subject: CN=wai.com.au Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b6:6a:74:50:08:8e:f6:7a:e5:a5:70:71:81:8f: 8f:b9:1c:7f:e0:32:8d:34:c6:28:2e:dc:36:f4:dc: e2:9a:f5:d4:98:2e:27:e6:f7:de:54:c3:0b:c9:92: 26:92:05:2b:8e:43:c1:c3:1a:3c:8e:ba:2a:f7:c3: 71:48:ef:ca:9d:bc:d3:ff:18:d4:9e:2c:87:a0:24: 1a:a3:08:4b:02:d5:d3:b5:a1:4e:dc:34:c0:4b:ec: 03:42:d9:24:e2:17:5f:35:18:17:28:ee:73:b7:56: bb:c9:cd:d1:9a:97:56:bc:15:79:b3:0a:a9:92:c2: 41:e0:d9:88:fe:e4:22:79:cb:30:44:41:86:a1:30: 5f:e8:28:c1:1b:40:3b:03:12:6f:f0:9b:c9:ba:eb: f7:80:88:17:c0:2d:c3:a9:47:5f:2b:a2:96:fd:e1: 10:32:67:9c:bc:b6:95:95:48:2d:57:54:98:41:7c: e5:ab:ed:ea:b2:c4:05:10:a4:36:f0:8c:86:0b:eb: 31:44:f1:b4:6c:bf:79:ed:83:7e:b9:78:2a:36:53: cc:2e:a6:d5:d6:aa:8e:be:57:02:99:c2:60:09:29: 7e:21:bb:9c:8a:36:ba:be:b3:4f:3a:a8:f6:7f:ee: 35:03:a2:c7:84:f2:13:84:b3:f1:3b:7d:ab:76:62: bd:b5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:7E:03:5A:65:41:6B:A7:7E:0A:E1:B8:9D:08:EA:1D:8E:1D:6A:C7:65 X509v3 Subject Key Identifier: CA:26:C6:D1:02:70:7B:A6:BF:7B:B5:35:56:07:54:B4:1F:97:D0:D5 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Certificate Policies: Policy: 1.3.6.1.4.1.6449.1.2.2.52 CPS: https://sectigo.com/CPS Policy: 2.23.140.1.2.1 X509v3 CRL Distribution Points: Full Name: URI:http://crl.comodoca.com/cPanelIncCertificationAuthority.crl Authority Information Access: CA Issuers - URI:http://crt.comodoca.com/cPanelIncCertificationAuthority.crt OCSP - URI:http://ocsp.comodoca.com CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1(0) Log ID : 7D:3E:F2:F8:8F:FF:88:55:68:24:C2:C0:CA:9E:52:89: 79:2B:C5:0E:78:09:7F:2E:6A:97:68:99:7E:22:F0:D7 Timestamp : Mar 11 16:01:05.924 2021 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:21:00:87:C1:1E:B6:48:34:1D:A6:5F:DE:79: 68:10:F5:5B:E6:CE:33:13:3E:9E:FA:B1:F8:2E:56:52: A7:54:64:B3:2D:02:20:55:48:32:8E:76:BA:E9:CF:74: 41:1C:A5:D1:07:D6:B7:81:0B:5A:E1:E2:25:EE:E8:9C: 52:48:03:6B:9B:94:D0 Signed Certificate Timestamp: Version : v1(0) Log ID : 94:20:BC:1E:8E:D5:8D:6C:88:73:1F:82:8B:22:2C:0D: D1:DA:4D:5E:6C:4F:94:3D:61:DB:4E:2F:58:4D:A2:C2 Timestamp : Mar 11 16:01:05.868 2021 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:21:00:F9:DD:89:05:2F:38:09:77:80:CE:FB: F6:D7:93:29:AC:1D:BF:B1:1F:49:0B:48:8C:BE:C7:4D: 7E:75:A8:BB:BF:02:20:55:C3:CA:ED:2B:A6:5D:A8:80: E9:83:86:43:B8:FA:B4:67:B7:FF:72:B1:34:DB:8F:3C: AA:94:CA:97:36:C8:A3 X509v3 Subject Alternative Name: DNS:wai.com.au, DNS:cpanel.wai.com.au, DNS:cpcalendars.wai.com.au, DNS:cpcontacts.wai.com.au, DNS:mail.wai.com.au, DNS:webdisk.wai.com.au, DNS:webmail.wai.com.au, DNS:www.wai.com.au Signature Algorithm: sha256WithRSAEncryption 26:ee:94:7d:9e:85:d4:aa:10:63:de:78:f2:e6:98:a7:e5:9b: b6:45:f7:64:41:b4:21:f6:f6:11:dc:de:17:99:5e:52:94:81: ce:4d:74:43:b2:80:51:2f:e2:95:6f:7d:fa:95:32:6c:60:65: ad:78:55:3c:13:3c:5e:02:ab:29:96:a3:87:28:72:0d:3f:0b: 0f:86:7d:0d:b4:ad:c4:d1:39:1e:7e:ba:f0:72:48:3f:1d:39: dc:b6:5a:64:4a:6f:a2:62:42:2a:f1:33:20:88:1c:df:f1:ad: db:ff:da:4f:63:03:77:69:31:e6:b6:61:75:13:c7:f6:ac:5a: 4b:78:2e:a6:3e:87:48:62:1f:71:05:c8:45:f1:39:fc:c7:26: f8:17:d9:4a:f4:9a:59:df:16:86:da:22:23:e8:34:61:70:c6: 36:1f:2d:e8:49:c2:38:f2:0e:d7:90:d7:76:27:55:2b:6a:2b: 94:bb:69:81:e7:f2:08:eb:a5:cd:7c:63:8e:3b:68:64:76:5f: 05:f0:1c:b6:3c:30:a0:49:14:69:16:d7:8b:5e:74:82:73:8b: 5c:0d:c5:23:0f:88:82:60:63:02:7c:f7:d7:4a:e6:aa:e6:6d: c4:cf:52:7b:c9:81:32:05:56:2b:8b:da:47:2f:31:c9:c7:2d: ff:58:f6:7f -----BEGIN CERTIFICATE----- MIIGWjCCBUKgAwIBAgIRAPlGo523zEf8ksA75vJ3PC0wDQYJKoZIhvcNAQELBQAw cjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMRAwDgYDVQQHEwdIb3VzdG9uMRUw EwYDVQQKEwxjUGFuZWwsIEluYy4xLTArBgNVBAMTJGNQYW5lbCwgSW5jLiBDZXJ0 aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0yMTAzMTEwMDAwMDBaFw0yMTA2MDkyMzU5 NTlaMBUxEzARBgNVBAMTCndhaS5jb20uYXUwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQC2anRQCI72euWlcHGBj4+5HH/gMo00xigu3Db03OKa9dSYLifm 995UwwvJkiaSBSuOQ8HDGjyOuir3w3FI78qdvNP/GNSeLIegJBqjCEsC1dO1oU7c NMBL7ANC2STiF181GBco7nO3VrvJzdGal1a8FXmzCqmSwkHg2Yj+5CJ5yzBEQYah MF/oKMEbQDsDEm/wm8m66/eAiBfALcOpR18ropb94RAyZ5y8tpWVSC1XVJhBfOWr 7eqyxAUQpDbwjIYL6zFE8bRsv3ntg365eCo2U8wuptXWqo6+VwKZwmAJKX4hu5yK Nrq+s086qPZ/7jUDoseE8hOEs/E7fat2Yr21AgMBAAGjggNGMIIDQjAfBgNVHSME GDAWgBR+A1plQWunfgrhuJ0I6h2OHWrHZTAdBgNVHQ4EFgQUyibG0QJwe6a/e7U1 VgdUtB+X0NUwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYw FAYIKwYBBQUHAwEGCCsGAQUFBwMCMEkGA1UdIARCMEAwNAYLKwYBBAGyMQECAjQw JTAjBggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYGZ4EMAQIB MEwGA1UdHwRFMEMwQaA/oD2GO2h0dHA6Ly9jcmwuY29tb2RvY2EuY29tL2NQYW5l bEluY0NlcnRpZmljYXRpb25BdXRob3JpdHkuY3JsMH0GCCsGAQUFBwEBBHEwbzBH BggrBgEFBQcwAoY7aHR0cDovL2NydC5jb21vZG9jYS5jb20vY1BhbmVsSW5jQ2Vy dGlmaWNhdGlvbkF1dGhvcml0eS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw LmNvbW9kb2NhLmNvbTCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AH0+8viP/4hV aCTCwMqeUol5K8UOeAl/LmqXaJl+IvDXAAABeCIFJYQAAAQDAEcwRQIhAIfBHrZI NB2mX955aBD1W+bOMxM+nvqx+C5WUqdUZLMtAiBVSDKOdrrpz3RBHKXRB9a3gQta 4eIl7uicUkgDa5uU0AB2AJQgvB6O1Y1siHMfgosiLA3R2k1ebE+UPWHbTi9YTaLC AAABeCIFJUwAAAQDAEcwRQIhAPndiQUvOAl3gM779teTKawdv7EfSQtIjL7HTX51 qLu/AiBVw8rtK6ZdqIDpg4ZDuPq0Z7f/crE02488qpTKlzbIozCBogYDVR0RBIGa MIGXggp3YWkuY29tLmF1ghFjcGFuZWwud2FpLmNvbS5hdYIWY3BjYWxlbmRhcnMu d2FpLmNvbS5hdYIVY3Bjb250YWN0cy53YWkuY29tLmF1gg9tYWlsLndhaS5jb20u YXWCEndlYmRpc2sud2FpLmNvbS5hdYISd2VibWFpbC53YWkuY29tLmF1gg53d3cu d2FpLmNvbS5hdTANBgkqhkiG9w0BAQsFAAOCAQEAJu6UfZ6F1KoQY9548uaYp+Wb tkX3ZEG0Ifb2EdzeF5leUpSBzk10Q7KAUS/ilW99+pUybGBlrXhVPBM8XgKrKZaj hyhyDT8LD4Z9DbStxNE5Hn668HJIPx053LZaZEpvomJCKvEzIIgc3/Gt2//aT2MD d2kx5rZhdRPH9qxaS3gupj6HSGIfcQXIRfE5/Mcm+BfZSvSaWd8WhtoiI+g0YXDG Nh8t6EnCOPIO15DXdidVK2orlLtpgefyCOulzXxjjjtoZHZfBfActjwwoEkUaRbX i150gnOLXA3FIw+IgmBjAnz310rmquZtxM9Se8mBMgVWK4vaRy8xycct/1j2fw== -----END CERTIFICATE----- -- Christopher Warrington <li...@mygcw.net> ________________________________________________ Current version is 9.1.18 | 'Using TBUDL' information: http://www.silverstones.com/thebat/TBUDLInfo.html