error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Discussion:

Greg Wittmeyer

2012-05-17 23:44:00 UTC

Hello all, hope someone can help.

I upgraded from 1.0.0d to 1.0.1c and immediately started getting this error:

error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

It occurs during SMTP after successful negotiation. Oddly, the first command after negotiation works, but not the second. Here is the complete conversation:

220 mail.gammadyne.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at Wed, 16 May 2012 23:59:12 -0500

EHLO gammadyne.com

250-mail.gammadyne.com Hello [64.126.68.153]
250-AUTH=LOGIN
250-AUTH LOGIN
250-TURN
250-SIZE 30720000
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-TLS
250-STARTTLS
250 OK

STARTTLS

220 2.0.0 SMTP server ready

SSL negotiated, cipher=DES-CBC3-SHA, bits=168, version=TLSv1/SSLv3
EHLO gammadyne.com

AUTH LOGIN
SSL read error 1: SSL module internal error

error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

My configuration is as follows:

ctx = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_AUTO_RETRY);
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);

I've tried the following solutions to no avail:
* Upgrading NASM to latest version
* Upgrading Perl to latest version
* Installing all updates on the mail server (Windows 2003/IIS6)
* SSL_OP_ALL, SSL_OP_CIPHER_SERVER_PREFERENCE, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION

Using SSL_OP_NO_TLSv1 does fix the problem, but I don't really want to disable TLS1.

Could it be the cipher? On 1.0.0d, the negotiated cipher was RC4-MD5

It's a rather odd problem. Anyone have any ideas?

TIA, Greg Wittmeyer, Gammadyne Corp.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org

Luke Carpenter

2012-05-18 06:48:30 UTC

Permalink

I am getting the same problem (various SSL errors after a successful
negotiation) with an SMTP server I've written in Ruby, and I'm stuck
with it

I've resorted to tracing through the Postfix SSL/TLS code to see how
they handle it, and it looks like they just keep retrying the
operation until its successful (tls_bio_ops.c or something similar)

Good luck, I would love to know if you find a solution

Thanks,
Luke

====

Sent via Nyx

Post by Greg Wittmeyer
Hello all, hope someone can help.
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
220 mail.gammadyne.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at Wed, 16 May 2012 23:59:12 -0500

EHLO gammadyne.com

STARTTLS

220 2.0.0 SMTP server ready

SSL negotiated, cipher=DES-CBC3-SHA, bits=168, version=TLSv1/SSLv3
EHLO gammadyne.com

AUTH LOGIN
SSL read error 1: SSL module internal error

error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
ctx = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_AUTO_RETRY);
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
* Upgrading NASM to latest version
* Upgrading Perl to latest version
* Installing all updates on the mail server (Windows 2003/IIS6)
* SSL_OP_ALL, SSL_OP_CIPHER_SERVER_PREFERENCE, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
Using SSL_OP_NO_TLSv1 does fix the problem, but I don't really want to disable TLS1.
Could it be the cipher? On 1.0.0d, the negotiated cipher was RC4-MD5
It's a rather odd problem. Anyone have any ideas?
TIA, Greg Wittmeyer, Gammadyne Corp.
______________________________________________________________________
OpenSSL Project http://www.openssl.org

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org

Dr. Stephen Henson

2012-05-18 10:57:33 UTC

Permalink

Post by Greg Wittmeyer
Hello all, hope someone can help.
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

It's a known issue. The latest snapshots could fix it, or apply this patch to
1.0.1c:

http://cvs.openssl.org/chngview?cn=22565

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org

Gammadyne

2014-01-06 20:31:35 UTC

Permalink

I just tried 1.0.1f and the problem that I reported in May 2012 is still
present.

If you want to try it for yourself, try sending an email over SSL to
nobody-eAI0HjOHDRZmR6Xm/***@public.gmane.org

To summarize, after the AUTH LOGIN command is sent, OpenSSL will produce
this error:

error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Post by Greg Wittmeyer
Hello all, hope someone can help.
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
It occurs during SMTP after successful negotiation. Oddly, the first
command after negotiation works, but not the second. Here is the complete
6.0.3790.4675 ready at Wed, 16 May 2012 23:59:12 -0500

EHLO gammadyne.com

STARTTLS

220 2.0.0 SMTP server ready

SSL negotiated, cipher=DES-CBC3-SHA, bits=168, version=TLSv1/SSLv3
EHLO gammadyne.com

AUTH LOGIN
SSL read error 1: SSL module internal error

error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
ctx = SSL_CTX_new(SSLv23_client_method());
SSL_CTX_set_mode(ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER |
SSL_MODE_AUTO_RETRY);
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
* Upgrading NASM to latest version
* Upgrading Perl to latest version
* Installing all updates on the mail server (Windows 2003/IIS6)
* SSL_OP_ALL, SSL_OP_CIPHER_SERVER_PREFERENCE,
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
Using SSL_OP_NO_TLSv1 does fix the problem, but I don't really want to disable TLS1.
Could it be the cipher? On 1.0.0d, the negotiated cipher was RC4-MD5
It's a rather odd problem. Anyone have any ideas?
TIA, Greg Wittmeyer, Gammadyne Corp.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List
Automated List Manager

--
View this message in context: http://openssl.6102.n7.nabble.com/error-1408F10B-SSL-routines-SSL3-GET-RECORD-wrong-version-number-tp22477p47946.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org

Viktor Dukhovni

2014-01-06 20:47:34 UTC

Permalink

Post by Gammadyne
I just tried 1.0.1f and the problem that I reported in May 2012 is still
present.
If you want to try it for yourself, try sending an email over SSL to
To summarize, after the AUTH LOGIN command is sent, OpenSSL will produce
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

See recent thread on this list with:

Subject: Verisign Problem with smtp tls

Post by Gammadyne

Post by Greg Wittmeyer
6.0.3790.4675 ready at Wed, 16 May 2012 23:59:12 -0500

Microsoft Exchange 2003 server.

Post by Gammadyne

Post by Greg Wittmeyer
220 2.0.0 SMTP server ready

SSL negotiated, cipher=DES-CBC3-SHA, bits=168, version=TLSv1/SSLv3

Broken DES-CBC3-SHA cipher suite.

Post by Gammadyne

Post by Greg Wittmeyer

AUTH LOGIN
SSL read error 1: SSL module internal error

error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org

Gammadyne

2014-01-07 16:32:21 UTC

Permalink

Okay, I got it working by calling this right after creating the context:

SSL_CTX_set_cipher_list(ctx,
"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:RC4-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5");

This is the default cipher list for OpenSSL 1.0.1f, with RC4-SHA moved up in
the order. This will avoid the bug in IIS6/Exchange 2003. Any program that
connects to random mail servers should use this method.

I would like to point out that OpenSSL should have a
SSL_CTX_get_cipher_list() function so that the cipher list would not need to
be hard-coded. This would future-proof it against new ciphers being added
in later updates.

Thank you Viktor for pointing me in the right direction.

Post by Viktor Dukhovni

Subject: Verisign Problem with smtp tls

Post by Gammadyne

Post by Greg Wittmeyer
6.0.3790.4675 ready at Wed, 16 May 2012 23:59:12 -0500

Microsoft Exchange 2003 server.

Post by Gammadyne

Post by Greg Wittmeyer
220 2.0.0 SMTP server ready

SSL negotiated, cipher=DES-CBC3-SHA, bits=168, version=TLSv1/SSLv3

Broken DES-CBC3-SHA cipher suite.

Post by Gammadyne

Post by Greg Wittmeyer

AUTH LOGIN
SSL read error 1: SSL module internal error

error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Mangled SSL record apparently in response to first encrypted command
after EHLO. As expected. Work-arounds provided in that thread.
You must ensure that RC4-SHA and/or RC4-MD4 occur among the first
64 cipher suites in the client SSL HELLO message. By default, with
OpenSSL 1.0.1 there are more than 64 ciphers suites that are stronger
than RC4-SHA.
Perhaps this is becoming an FAQ item.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List
Automated List Manager

--
View this message in context: http://openssl.6102.n7.nabble.com/error-1408F10B-SSL-routines-SSL3-GET-RECORD-wrong-version-number-tp22477p47981.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org