[SOLVED] SSL unsupported protocol error in mutt

fredson · 2019-06-21 11:30:06

Connecting to IMAP folders of a specific mail account in mutt fails with

SSL failed: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol

For other accounts it works just fine, as it did for this account for a long time.

I cut down my .muttrc:

$  less ~/.muttrc_debug
set imap_user = username
set imap_pass='mypassword'
set folder = imaps://mailserver
set spoolfile = +INBOX

I'd appreciate any ideas
thanks.

Some more information:

$ mutt -v

Mutt 1.12.1 (2019-06-15)
Copyright (C) 1996-2016 Michael R. Elkins and others.
Mutt comes with ABSOLUTELY NO WARRANTY; for details type `mutt -vv'.
Mutt is free software, and you are welcome to redistribute it
under certain conditions; type `mutt -vv' for details.

System: Linux 5.1.12-arch1-1-ARCH (x86_64)
ncurses: ncurses 6.1.20180127 (compiled with 6.1)
libidn2: 2.2.0 (compiled with 2.2.0)
hcache backend: GDBM version 1.18.1. 27/10/2018 (built Jan 10 2019 15:18:10)

Compiler:
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-pc-linux-gnu/8.3.0/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /build/gcc/src/gcc/configure --prefix=/usr --libdir=/usr/lib --libexecdir=/usr/lib --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=https://bugs.archlinux.org/ --enable-languages=c,c++,ada,fortran,go,lto,objc,obj-c++ --enable-shared --enable-threads=posix --enable-libmpx --with-system-zlib --with-isl --enable-__cxa_atexit --disable-libunwind-exceptions --enable-clocale=gnu --disable-libstdcxx-pch --disable-libssp --enable-gnu-unique-object --enable-linker-build-id --enable-lto --enable-plugin --enable-install-libiberty --with-linker-hash-style=gnu --enable-gnu-indirect-function --enable-multilib --disable-werror --enable-checking=release --enable-default-pie --enable-default-ssp --enable-cet=auto
Thread model: posix
gcc version 8.3.0 (GCC) 

Configure options: '--prefix=/usr' '--sysconfdir=/etc' '--enable-gpgme' '--enable-pop' '--enable-imap' '--enable-smtp' '--enable-hcache' '--enable-sidebar' '--with-curses=/usr' '--with-gss=/usr' '--with-ssl=/usr' '--with-sasl' '--with-idn2' 'CFLAGS=-march=x86-64 -mtune=generic -O2 -pipe -fno-plt' 'LDFLAGS=-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now' 'CPPFLAGS=-D_FORTIFY_SOURCE=2'

Compilation CFLAGS: -Wall -pedantic -Wno-long-long -march=x86-64 -mtune=generic -O2 -pipe -fno-plt

Compile options:
-DOMAIN
-DEBUG
-HOMESPOOL  -USE_SETGID  +USE_DOTLOCK  -DL_STANDALONE  +USE_FCNTL  -USE_FLOCK   
+USE_POP  +USE_IMAP  +USE_SMTP  
+USE_SSL_OPENSSL  -USE_SSL_GNUTLS  +USE_SASL  +USE_GSS  +HAVE_GETADDRINFO  
+HAVE_REGCOMP  -USE_GNU_REGEX  
+HAVE_COLOR  +HAVE_START_COLOR  +HAVE_TYPEAHEAD  +HAVE_BKGDSET  
+HAVE_CURS_SET  +HAVE_META  +HAVE_RESIZETERM  +HAVE_FUTIMENS  
+CRYPT_BACKEND_CLASSIC_PGP  +CRYPT_BACKEND_CLASSIC_SMIME  +CRYPT_BACKEND_GPGME  
-EXACT_ADDRESS  -SUN_ATTACHMENT  
+ENABLE_NLS  -LOCALES_HACK  +HAVE_WC_FUNCS  +HAVE_LANGINFO_CODESET  +HAVE_LANGINFO_YESEXPR  
+HAVE_ICONV  -ICONV_NONTRANS  -HAVE_LIBIDN  +HAVE_LIBIDN2  +HAVE_GETSID  +USE_HCACHE  
+USE_SIDEBAR  -USE_COMPRESSED  +USE_INOTIFY  
-ISPELL
SENDMAIL="/usr/sbin/sendmail"
MAILPATH="/var/mail"
PKGDATADIR="/usr/share/mutt"
SYSCONFDIR="/etc"
EXECSHELL="/bin/sh"
-MIXMASTER

$ openssl version
OpenSSL 1.1.1b  26 Feb 2019

I did not apply any changes to /etc/ssl/openssl.cnf, therefore:

$ diff /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.dist

And maybe sth. like that:

$ openssl s_client -host mailbox.servername -port 993

CONNECTED(00000003)
---
Certificate chain
 0 s:C = DE, ST = [...] , L =  [...], O =  [...], OU =  [...], CN = servername
   i:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
 1 s:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA
   i:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2
 2 s:C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Certification Authority 2
   i:C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 2
 3 s:C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 2
   i:C = DE, O = T-Systems Enterprise Services GmbH, OU = T-Systems Trust Center, CN = T-TeleSec GlobalRoot Class 2
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=C = DE, ST = [...], L =  [...], O =  [...], OU = ZIM, CN = servername

issuer=C = DE, O = Verein zur Foerderung eines Deutschen Forschungsnetzes e. V., OU = DFN-PKI, CN = DFN-Verein Global Issuing CA

---
No client certificate CA names sent
---
SSL handshake has read 6350 bytes and written 646 bytes
Verification: OK
---
New, SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 784AA6227F60CD0669E24514EC6CE5886A07FA3FBCFA98D28B52F2E7EC0B1798
    Session-ID-ctx: 
    Master-Key: EBAD5349853ECBB198D2DD0C55072D0330C7F7E205500A3FD15649FC2FC999E0A909BD3B7FFC9E279CC19272621B172F
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1561115979
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
* OK [CAPABILITY IMAP4 IMAP4rev1 LITERAL+ ID MUPDATE=mupdate://mupdate.servername/ AUTH=LOGIN AUTH=PLAIN SASL-IR] mupdate.servername Cyrus IMAP4 (Murder) v2.3.7-Invoca-RPM-2.3.7-16.el5_11 server ready

Last edited by fredson (2019-06-21 15:36:30)

seth · 2019-06-21 11:46:30

Protocol  : TLSv1

Eeewww…

http://www.mutt.org/doc/manual/#ssl-use-tlsv1

If you have *any* impact on the server (ie. if you can eg. threaten the admin with a butter knife) please fix the server instead.

fredson · 2019-06-21 15:36:06

I stopped short from stabbing the admin bc this also works

set ssl_use_tlsv1.2 = yes

My fault, no, indeed, just the following works:

set ssl_use_tlsv1 = yes

Last edited by fredson (2019-06-21 15:54:58)

seth · 2019-06-21 15:39:16

http://www.mutt.org/doc/manual/#ssl-use-tlsv1-2 ?
That's supposed to default to yes, did you disable it?

Trilby · 2019-06-21 15:41:19

He didn't suggest stabbing, specifically. Perhaps he needs to be "buttered up" to request a change.

But it seems the broadcast was vague: using 1.0 would not be wise, but 1.2 is fine.

fredson · 2019-06-21 15:56:48

I changed my post and indeed only 1.0 works . It may well be an unintended change in the server's config.

seth · 2019-06-21 15:58:33

Time for the butter knife then.
Still more civil than a spoon.

Arch Linux

#1 2019-06-21 11:30:06

[SOLVED] SSL unsupported protocol error in mutt

#2 2019-06-21 11:46:30

Re: [SOLVED] SSL unsupported protocol error in mutt

#3 2019-06-21 15:36:06

Re: [SOLVED] SSL unsupported protocol error in mutt

#4 2019-06-21 15:39:16

Re: [SOLVED] SSL unsupported protocol error in mutt

#5 2019-06-21 15:41:19

Re: [SOLVED] SSL unsupported protocol error in mutt

#6 2019-06-21 15:56:48

Re: [SOLVED] SSL unsupported protocol error in mutt

#7 2019-06-21 15:58:33

Re: [SOLVED] SSL unsupported protocol error in mutt

Board footer