TB 78.4 does not seem to be respecting tls.version.min
I previously had to set tls.version.min to 1 when moving from 68 to 78 and that was fine. Now after upgrading from 78.3 to 78.4 the connection fails again despite the minimum tls version being set to 1.
Looking at the connection in wireshark, in the Client Hello, the supported versions are given as:
Extension: supported_versions (len=5)
Type: supported_versions (43) Length: 5 Supported Versions length: 4 Supported Version: TLS 1.3 (0x0304) Supported Version: TLS 1.2 (0x0303)
which then causes the expected
Alert Message
Level: Fatal (2) Description: Protocol Version (70)
The cipher suite chosen by the server hello is included in the client hello so they're not mismatching for what it's worth.
Modificato da Conor il
Tutte le risposte (3)
What is the server address name? You'll need to post more of the wireshark.
The mail server is mail.blacknight.com and the Wireshark overview is as follows, I'd add the actual pcapng if it was possible.
The TLS protocol version failure alert occurs at line 91: 43 6.272506420 10.0.0.15 81.17.254.9 TCP 74 4 39152 → 143 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=3248854081 TSecr=0 WS=128
44 6.273882829 10.0.0.15 81.17.254.9 TCP 74 4 34206 → 110 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=3248854083 TSecr=0 WS=128
45 6.283001017 81.17.254.9 10.0.0.15 TCP 74 4 143 → 39152 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1380 SACK_PERM=1 TSval=87655800 TSecr=3248854081 WS=128
46 6.283073335 10.0.0.15 81.17.254.9 TCP 66 4 39152 → 143 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=3248854092 TSecr=87655800
47 6.285566164 81.17.254.9 10.0.0.15 TCP 74 4 110 → 34206 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1380 SACK_PERM=1 TSval=87655803 TSecr=3248854083 WS=128
48 6.285712523 10.0.0.15 81.17.254.9 TCP 66 4 34206 → 110 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=3248854095 TSecr=87655803
49 6.293563873 81.17.254.9 10.0.0.15 IMAP 173 4 Response: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS AUTH=PLAIN] Dovecot ready.
50 6.293608719 10.0.0.15 81.17.254.9 TCP 66 4 39152 → 143 [ACK] Seq=1 Ack=108 Win=64256 Len=0 TSval=3248854103 TSecr=87655810
51 6.325515240 10.0.0.15 81.17.254.9 IMAP 78 4 Request: 1 STARTTLS
52 6.337599723 81.17.254.9 10.0.0.15 TCP 66 4 143 → 39152 [ACK] Seq=108 Ack=13 Win=5888 Len=0 TSval=87655854 TSecr=3248854134
53 6.337673958 81.17.254.9 10.0.0.15 IMAP 99 4 Response: 1 OK Begin TLS negotiation now.
54 6.337719281 10.0.0.15 81.17.254.9 TCP 66 4 39152 → 143 [ACK] Seq=13 Ack=141 Win=64256 Len=0 TSval=3248854147 TSecr=87655854
57 6.393028857 10.0.0.15 81.17.254.9 IMAP 583 4 Request: \026\003\001\002\000\001\000\001�\003\003\004����\003X-��2Ƽ�\aBAy�\005�3/7b�\033ed� ^YC�����'��P�H\004��(i������,�1L�\025�\000"\023\001\023\003\023\002�+�/�����,�0�
58 6.406364860 81.17.254.9 10.0.0.15 IMAP 1434 4 Response: \026\003\001\000Q\002\000\000M\003\001_�c2� \001\025��\033�\0228[�K�H\024Ĭ�#}q�v�R \ab���V��I�o�H��B�/�I[L\026��i��KC�d\000/\000\000\005�\001\000\001\000\026\003\001\026\017\v\000\026\v\000\026\b\000\006*0�\006&0�\005\016�\003\002\001\002\002\021\000����f獷����\017��c0
59 6.406485740 10.0.0.15 81.17.254.9 TCP 66 4 39152 → 143 [ACK] Seq=530 Ack=1509 Win=64128 Len=0 TSval=3248854215 TSecr=87655922
60 6.406526577 81.17.254.9 10.0.0.15 IMAP 1434 4 Response: q�\002!\000R����S��n\031�Z�����W5��3��a�>��ms0��\006\003U\035\021\004��0���\023mail.blacknight.com�\030imap5r.cp.blacknight.com�\036inbound-smtp.cp.blacknight.com�\030pop33r.cp.blacknight.com�\030smtp1r.cp.blacknight.com0
61 6.406564200 10.0.0.15 81.17.254.9 TCP 66 4 39152 → 143 [ACK] Seq=530 Ack=2877 Win=62976 Len=0 TSval=3248854215 TSecr=87655922
62 6.406755071 10.0.0.15 81.17.254.9 TCP 73 4 39152 → 143 [PSH, ACK] Seq=530 Ack=2877 Win=62976 Len=7 TSval=3248854216 TSecr=87655922 [TCP segment of a reassembled PDU]
63 6.406890144 10.0.0.15 81.17.254.9 TCP 66 4 39152 → 143 [RST, ACK] Seq=537 Ack=2877 Win=64128 Len=0 TSval=3248854216 TSecr=87655922
64 6.422084923 81.17.254.9 10.0.0.15 TCP 66 4 [TCP Dup ACK 58#1] 143 → 39152 [PSH, ACK] Seq=2877 Ack=530 Win=6912 Len=0 TSval=87655922 TSecr=3248854202
65 6.422130208 10.0.0.15 81.17.254.9 TCP 54 4 39152 → 143 [RST] Seq=530 Win=0 Len=0
66 6.422173720 81.17.254.9 10.0.0.15 IMAP 1434 4 Response: \001\001\f\005\000\003�\002\001\0002�a�\016H�OǺGM�x\031\001�\023\035�o��p�R�13�WR�1�k��T���@\027h�\021\020|����U���6���9Q�F�\017����~I�*6\027��h9z��NVo�{;�
67 6.422204194 10.0.0.15 81.17.254.9 TCP 54 4 39152 → 143 [RST] Seq=530 Win=0 Len=0
68 6.423597989 81.17.254.9 10.0.0.15 IMAP 1434 4 Response: ST0\031\023��}7��]:l5\�A�\022��I\v����\t�b��f�%�����?�9\017�\002��\022L�|�k\005�^\026���g��\023��[��L��[���s�#;-\000�5Ut\tI�IX\032\177�6�Q�\016�&}\034M\027���C&пA_@�DD��W��P\037WT�>�tc/�Pe\t�XB.C\032L��%GY�\004\036��&FJP����x��g\025��W�\036\017c��b��_U.�\�(\b\004%9�\016+��L�\034\a?
69 6.423625986 10.0.0.15 81.17.254.9 TCP 54 4 39152 → 143 [RST] Seq=530 Win=0 Len=0
70 6.423641402 81.17.254.9 10.0.0.15 IMAP 341 4 Response: \006\t*�H��
71 6.423656894 10.0.0.15 81.17.254.9 TCP 54 4 39152 → 143 [RST] Seq=530 Win=0 Len=0
72 6.423666746 81.17.254.9 10.0.0.15 TCP 66 4 143 → 39152 [FIN, ACK] Seq=5888 Ack=537 Win=6912 Len=0 TSval=87655939 TSecr=3248854216
73 6.423676739 10.0.0.15 81.17.254.9 TCP 54 4 39152 → 143 [RST] Seq=537 Win=0 Len=0
75 6.911991172 81.17.254.9 10.0.0.15 POP 86 4 S: +OK Dovecot ready.
76 6.912031999 10.0.0.15 81.17.254.9 TCP 66 4 34206 → 110 [ACK] Seq=1 Ack=21 Win=64256 Len=0 TSval=3248854721 TSecr=87656428
77 6.915765154 10.0.0.15 81.17.254.9 POP 72 4 C: AUTH
78 6.924593664 81.17.254.9 10.0.0.15 TCP 66 4 110 → 34206 [ACK] Seq=21 Ack=7 Win=5888 Len=0 TSval=87656441 TSecr=3248854725
79 6.924624933 81.17.254.9 10.0.0.15 POP 74 4 S: +OK
80 6.924636423 10.0.0.15 81.17.254.9 TCP 66 4 34206 → 110 [ACK] Seq=7 Ack=29 Win=64256 Len=0 TSval=3248854734 TSecr=87656441
81 6.926082760 81.17.254.9 10.0.0.15 TCP 66 4 [TCP Dup ACK 78#1] 110 → 34206 [PSH, ACK] Seq=29 Ack=7 Win=5888 Len=0 TSval=87656441 TSecr=3248854725
82 6.927269329 10.0.0.15 81.17.254.9 POP 72 4 C: CAPA
83 6.938375224 81.17.254.9 10.0.0.15 POP 139 4 S: +OK
84 6.938451630 10.0.0.15 81.17.254.9 TCP 66 4 34206 → 110 [ACK] Seq=13 Ack=102 Win=64256 Len=0 TSval=3248854747 TSecr=87656455
85 6.939828509 10.0.0.15 81.17.254.9 POP 72 4 C: STLS
86 6.950399031 81.17.254.9 10.0.0.15 POP 98 4 S: +OK Begin TLS negotiation now.
87 6.956790198 10.0.0.15 81.17.254.9 TLSv1 583 4 Client Hello
88 6.977024740 81.17.254.9 10.0.0.15 TLSv1 1434 4 Server Hello
89 6.977067276 81.17.254.9 10.0.0.15 TCP 1434 4 110 → 34206 [ACK] Seq=1502 Ack=536 Win=6912 Len=1368 TSval=87656487 TSecr=3248854766 [TCP segment of a reassembled PDU]
90 6.977100230 10.0.0.15 81.17.254.9 TCP 66 4 34206 → 110 [ACK] Seq=536 Ack=2870 Win=62976 Len=0 TSval=3248854786 TSecr=87656487
91 6.977142320 10.0.0.15 81.17.254.9 TLSv1 73 4 Alert (Level: Fatal, Description: Protocol Version)
92 6.977195872 10.0.0.15 81.17.254.9 TCP 66 4 34206 → 110 [RST, ACK] Seq=543 Ack=2870 Win=64128 Len=0 TSval=3248854786 TSecr=87656487
93 6.987253338 81.17.254.9 10.0.0.15 TCP 1434 4 110 → 34206 [ACK] Seq=2870 Ack=536 Win=6912 Len=1368 TSval=87656503 TSecr=3248854786 [TCP segment of a reassembled PDU]
94 6.987291720 10.0.0.15 81.17.254.9 TCP 54 4 34206 → 110 [RST] Seq=536 Win=0 Len=0
95 6.987305589 81.17.254.9 10.0.0.15 TCP 1434 4 110 → 34206 [ACK] Seq=4238 Ack=536 Win=6912 Len=1368 TSval=87656503 TSecr=3248854786 [TCP segment of a reassembled PDU]
96 6.987311841 10.0.0.15 81.17.254.9 TCP 54 4 34206 → 110 [RST] Seq=536 Win=0 Len=0
97 6.987316583 81.17.254.9 10.0.0.15 TLSv1 341 4 Certificate, Server Hello Done
98 6.987321434 10.0.0.15 81.17.254.9 TCP 54 4 34206 → 110 [RST] Seq=536 Win=0 Len=0
99 6.987325138 81.17.254.9 10.0.0.15 TCP 66 4 [TCP Dup ACK 88#1] 110 → 34206 [PSH, ACK] Seq=5881 Ack=536 Win=6912 Len=0 TSval=87656503 TSecr=3248854786
100 6.987329744 10.0.0.15 81.17.254.9 TCP 54 4 34206 → 110 [RST] Seq=536 Win=0 Len=0
101 6.989710109 81.17.254.9 10.0.0.15 TCP 66 4 110 → 34206 [FIN, ACK] Seq=5881 Ack=543 Win=6912 Len=0 TSval=87656506 TSecr=3248854786
102 6.989742987 10.0.0.15 81.17.254.9 TCP 54 4 34206 → 110 [RST] Seq=543 Win=0 Len=0
Modificato da NoahSUMO il
you may try also with increasing the timeout settings (in about:config). their are also few other related settings to assists TB with older/unsafe protocols.
and if you want to, you may use a second-TB, a v68 series TB, for that email account. more info.
as usual, "mail protection" should be disabled unless it has an "EXCEPTION" sub-option, then add IMAP/POP3 & SMTP, etc into exception list . make sure your AV/SS has "Scan files on access" enabled. use smk code as password for mail-account in TB, if your MSP supports that. or use OAuth2 (enable cookie) for mail-account in TB. more info.
Modificato da atErik il