Okay, I got it working by calling this right after creating the context: SSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:RC4-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5");
This is the default cipher list for OpenSSL 1.0.1f, with RC4-SHA moved up in the order. This will avoid the bug in IIS6/Exchange 2003. Any program that connects to random mail servers should use this method. I would like to point out that OpenSSL should have a SSL_CTX_get_cipher_list() function so that the cipher list would not need to be hard-coded. This would future-proof it against new ciphers being added in later updates. Thank you Viktor for pointing me in the right direction. Viktor Dukhovni wrote > On Mon, Jan 06, 2014 at 12:31:35PM -0800, Gammadyne wrote: > >> I just tried 1.0.1f and the problem that I reported in May 2012 is still >> present. >> >> If you want to try it for yourself, try sending an email over SSL to >> > nobody@ >> >> To summarize, after the AUTH LOGIN command is sent, OpenSSL will produce >> this error: >> >> error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number > > See recent thread on this list with: > > Subject: Verisign Problem with smtp tls > >> > 220 mail.gammadyne.com Microsoft ESMTP MAIL Service, Version: >> > 6.0.3790.4675 ready at Wed, 16 May 2012 23:59:12 -0500 > > Microsoft Exchange 2003 server. > >> > 220 2.0.0 SMTP server ready >> >>SSL negotiated, cipher=DES-CBC3-SHA, bits=168, version=TLSv1/SSLv3 > > Broken DES-CBC3-SHA cipher suite. > >> >>AUTH LOGIN >> >>SSL read error 1: SSL module internal error >> > error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number > > Mangled SSL record apparently in response to first encrypted command > after EHLO. As expected. Work-arounds provided in that thread. > > You must ensure that RC4-SHA and/or RC4-MD4 occur among the first > 64 cipher suites in the client SSL HELLO message. By default, with > OpenSSL 1.0.1 there are more than 64 ciphers suites that are stronger > than RC4-SHA. > > Perhaps this is becoming an FAQ item. > > -- > Viktor. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List > openssl-users@ > Automated List Manager > majordomo@ -- View this message in context: http://openssl.6102.n7.nabble.com/error-1408F10B-SSL-routines-SSL3-GET-RECORD-wrong-version-number-tp22477p47981.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
