[Users] POP3S - SSL Handshake Failures (Repost).

ENI info at endeavor-networks.com
Thu Aug 28 07:31:53 CEST 2014


Please excuse the repost. We received numerous DMARC reports indicating
that our initial post was not being forwarded, due to our DMARC
implementation not accommodating list distribution.


Background

We've been using Claws Mail (Win32) to reliably send/receive mail for
~2 years. Two weeks ago (8/17), the server-side certificate used for
POP3S and SMTP (STARTTLS) expired. We believe Claws Mail (CM)
successfully stored the new certificate for both functions, as we were
able to send/receive securely thereafter. Although, we did see the
signature status change from “Correct”, to “No certificate issuer
found”. The POP3S server certificate has since been deleted from the
“Saved SSL Certificates” list during our investigation of the following
issue. We're not sure if it is relevant, but thought it best to disclose
recent events.


Issue - SSL Handshake Failures

On the evening of 8/23, we were able to retrieve mail via POP3s. On the
morning of 8/24 we were not. We are experiencing SSL handshake failures.

A Wireshark capture shows the server responding to the SSLv3 Client
Hello, with a Fatal SSLv3 Record Layer Alert (Handshake Failure).

Claws Mail 3.10.1 (Win32), indicates the following in it's Network Log:

* Account '<redacted>': Connecting to POP3 server:
  <server-name-redacted>:995... 
*** SSL handshake failed

Thunderbird 31.0 succeeds with a TLSv1.2 handshake, whereas CM fails
with a SSLv3 handshake (per Wireshark capture). The cypher suite
negotiated (TLS RSA with AES 256 CBC SHA) in the Thunderbird session,
is supported by CM.

Thunderbird: POP3 Mail Server Settings | Security Settings | Connection
Security | SSL/TLS (selected)

CM: SSL | POP3 | Use SSL for POP3 connection (selected)
CM: SSL | Send (SMTP) | Use STARTTLS command to start SSL session
(selected)

We have three Win XP3 systems configured with CM. There have been no
recent config changes to CM. Each send via SMTP (STARTTLS)
successfully, but each are experiencing POP3S SSL handshake failures.

During our diagnostic efforts, the POP3S server certificate was deleted
in CM, with the expectation that it would be presented again during the
next session setup, but the SSL handshake fails before that can occur.

We've submitted a ticket to our service provider, and are trying to
determine whether there have been any changes on the server side that
would cause the recent SSLv3 handshake failures. We are inclined to
think that they may point to CM, as Thunderbird succeeds (via TLSv1.2).

Any thoughts on how we can diagnose the situation further on our end?

Best Regards,
ENI




More information about the Users mailing list