ssl certificate check on imap failing with wrong version number
Issue #694
new
Experienced this on with 5.20.0 on debian stretch and 5.25.1 on openbsd-current, using the following config:
check host imap with address imap
if failed port 143 protocol imap with ssl options {version: TLSV12} and certificate valid > 7 days then alert
On debian (with openssl 1.1.0f-3+deb9u1) i get this:
failed protocol test [IMAP] at [imap]:143 [TCP/IP SSL] -- SSL connection error: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
if i dont specifiy the version (so that it uses TLS by default afaict) the error message is the same.
If i try with version: SSLv3 (which isnt advertised by the server) i get this:
failed protocol test [IMAP] at [imap]:143 [TCP/IP SSL] -- SSL connection error: error:141640BF:SSL routines:tls_construct_client_hello:no protocols available
so the version is correctly sent to the server.
using openssl s_client, the default tls version advertised by the server is tls v1.2:
$openssl s_client -connect imap:143
CONNECTED(00000003)
139684875003136:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:252:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
with 5.25.1 on openbsd (and libressl 2.6.3), i get similar results with a slightly different error message:
failed protocol test [IMAP] at [imap]:143 [TCP/IP TLS] -- SSL connection error: error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number
$openssl s_client -connect imap:143
CONNECTED(00000003)
32558945203680:error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number:/usr/src/lib/libssl/ssl_pkt.c:386:
which leads to this check here: https://github.com/libressl-portable/openbsd/blob/master/src/lib/libssl/ssl_pkt.c#L385
Strangely, on the same host the certificate check has no issue talking to postfix on port 587
check host smtp with address smtp every '0 1 * * *'
if failed port 587 protocol smtp and certificate valid > 7 days then alert
openssl s_client shows the same 'error' at the top when connecting to this port, so i'm puzzled as to why smtp check would work and not imap check. Maybe a difference at the protocol level in monit when checking for ssl return codes ?
The server is running dovecot/postfix on openbsd with libressl 2.6.x.
Comments (2)
-
repo owner
-
reporter
The linux/x64 and the openbsd/x64 binary both fails in a strange way:
Socket test failed for [172.20.97.2]:143 -- SSL connection error: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol 'imap' failed protocol test [IMAP] at [imap]:143 [TCP/IP TLS] -- SSL connection error: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol ------------------------------------------------------------------------------- ./bin/monit() [0x41cc53] ./bin/monit() [0x41d52f] ./bin/monit() [0x417f03] ./bin/monit() [0x42bfae] ./bin/monit() [0x42c15b] ./bin/monit() [0x42ca7a] ./bin/monit() [0x413b5a] ./bin/monit() [0x41464f] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1) [0x7f2603d1c2b1] ./bin/monit() [0x404d2a] ------------------------------------------------------------------------------- 'imap' certificate expiry in 0 days matches check limit [valid > 7 days] ------------------------------------------------------------------------------- ./bin/monit() [0x41cc53] ./bin/monit() [0x41d52f] ./bin/monit() [0x417f03] ./bin/monit() [0x42bf74] ./bin/monit() [0x42c15b] ./bin/monit() [0x42ca7a] ./bin/monit() [0x413b5a] ./bin/monit() [0x41464f] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1) [0x7f2603d1c2b1] ./bin/monit() [0x404d2a] ------------------------------------------------------------------------------- Socket test failed for [172.20.97.2]:143 -- SSL connection error: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol 'imap' failed protocol test [IMAP] at [imap]:143 [TCP/IP TLS] -- SSL connection error: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol 'imap' certificate expiry in 0 days matches check limit [valid > 7 days]So my guess is that its an interoperability issue between openssl and libressl, but that's strange that it isnt happening for smtp/postfix on the same target server.
- Log in to comment
Please can you try with the pre-compiled monit version? (https://mmonit.com/download/). It is statically linked with OpenSSL 1.0.2m