All Apps and Add-ons

TA-DMARC TLS Version Error

New Member

When attempting to add an input for TA-DMARC, I am receiving the following error:

Error connecting to {imap.hostname.tld} with exception [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:741)

TLS is working on the IMAP host on port 993:

sslscan {imap.hostname.tld}:993
Version: 1.11.13-static
OpenSSL 1.0.2-chacha (1.0.2g-dev)

Connected to {ip.address}

Testing SSL server {imap.hostname.tld} on port 993 using SNI name {imap.hostname.tld}

TLS Fallback SCSV:
Server only supports TLSv1.0

TLS renegotiation:
Secure session renegotiation supported

TLS Compression:
Compression disabled

TLS 1.2 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.0 not vulnerable to heartbleed

Supported Server Cipher(s):
Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-521 DHE 521
Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-521 DHE 521
Accepted TLSv1.0 256 bits AES256-SHA
Accepted TLSv1.0 128 bits AES128-SHA
Accepted TLSv1.0 112 bits DES-CBC3-SHA

SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength: 2048

Subject: {imap.hostname.tld}
Altnames: DNS:{imap.hostname.tld}, {snip}
Issuer: DigiCert SHA2 Secure Server CA

Not valid before: May 31 00:00:00 2017 GMT
Not valid after: Aug 3 12:00:00 2020 GMT

And the SPLUNK instance is able to connect to the IMAP server via TLS 1.0 on port 993:

$SPLUNK_HOME/bin/splunk cmd openssl s_client -connect {imap.hostname.tld}:993
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA

verify error:num=20:unable to get local issuer certificate

Certificate chain
0 s:{snip}
i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA

i:/C=US/O=DigiCert Inc/ Global Root CA

Server certificate

issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA

No client certificate CA names sent

Server Temp Key: ECDH, P-521, 521 bits

SSL handshake has read 3143 bytes and written 508 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Protocol : TLSv1
Session-ID: {snip}
Master-Key: {snip}
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1573671407
Timeout : 300 (sec)

Verify return code: 20 (unable to get local issuer certificate)

  • OK The Microsoft Exchange IMAP4 service is ready.

Is there any configuration in TA-DMARC that may have an effect on this issue or should I be looking elsewhere in SPLUNK? Any pointers or hints with this issue would be appreciated.

0 Karma

Path Finder

TLSv1.0 is not supported out-of-the box.
To support older exchange boxes like yours, change line 55 of

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...