[Users] IMAP / SSL failure

Jeremy Volkening jdv at base2bio.com
Wed Nov 12 06:30:38 CET 2014 

Hello,

Connection to one of my IMAP accounts has recently started failing with:

GnuTLS error: A TLS packet with unexpected length was received.
** (claws-mail:14118): WARNING **: [23:17:03] SSL handshake failed

I suspect this has to do with the mail server no longer accepting SSLv3
connections. I have seen a number of messages about this in the list
archives. I have compiled the latest v3.11.1 (on Debian 'wheezy') and
set the following in my .claws-mail/accountrc:

gnutls_set_priority=1
gnutls_priority=NORMAL:-VERS-SSL3.0

with no success. I have also forcing:

gnutls_set_priority=1
gnutls_priority=VERS-TLS1.2

but the connection still fails. Using Wireshark, I see that claws-mail
is still sending a HELLO using SSLv3. If I connect with the same
settings using Icedove, Wireshark shows it using TLSv1.2 and the
connection succeeds. The claws-mail account settings are set to use SSL.
If I try to use STARTTLS for incoming IMAP, nothing happens until
claws-mail times out. I see the same behavior with STARTTLS in Icedove,
which leads me to believe that STARTTLS will not work with the mail
server (wiscmail.wisc.edu).

The output from gnutls-cli-debug is as follows:

jeremy at xxxxxxx:~$ gnutls-cli-debug -p 993 wiscmail.wisc.edu
Resolving 'wiscmail.wisc.edu'...
Connecting to '144.92.197.133:993'...
Checking for SSL 3.0 support... no
Checking whether %COMPAT is required... yes
Checking for TLS 1.0 support... no
Checking for TLS 1.1 support... no
Checking fallback from TLS 1.1 to... failed
Checking for TLS 1.2 support... no
Checking whether we need to disable TLS 1.0... yes

Server does not support any of SSL 3.0, TLS 1.0 and TLS 1.1


This doesn't help, since it doesn't show ANYTHING as being supported
(although TLSv1.2 is definitely supported). I've also tried adding the
'%COMPAT' string to the 'gnutls_profile'. If anyone has any insight into
this, please let me know. It seems like the above fixes have worked for
others but not me. Is there any way to use TSLv1.2 with claws-mail
without using STARTTLS? Thanks,

Jeremy

More information about the Users mailing list