When attempting to add an input for TA-DMARC, I am receiving the following error:
Error connecting to {imap.hostname.tld} with exception [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:741)
TLS is working on the IMAP host on port 993:
sslscan {imap.hostname.tld}:993
Version: 1.11.13-static
OpenSSL 1.0.2-chacha (1.0.2g-dev)
Connected to {ip.address}
Testing SSL server {imap.hostname.tld} on port 993 using SNI name {imap.hostname.tld}
TLS Fallback SCSV:
Server only supports TLSv1.0
TLS renegotiation:
Secure session renegotiation supported
TLS Compression:
Compression disabled
Heartbleed:
TLS 1.2 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.0 not vulnerable to heartbleed
Supported Server Cipher(s):
Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-521 DHE 521
Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-521 DHE 521
Accepted TLSv1.0 256 bits AES256-SHA
Accepted TLSv1.0 128 bits AES128-SHA
Accepted TLSv1.0 112 bits DES-CBC3-SHA
SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength: 2048
Subject: {imap.hostname.tld}
Altnames: DNS:{imap.hostname.tld}, {snip}
Issuer: DigiCert SHA2 Secure Server CA
Not valid before: May 31 00:00:00 2017 GMT
Not valid after: Aug 3 12:00:00 2020 GMT
And the SPLUNK instance is able to connect to the IMAP server via TLS 1.0 on port 993:
$SPLUNK_HOME/bin/splunk cmd openssl s_client -connect {imap.hostname.tld}:993
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
Certificate chain
0 s:{snip}
i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
Server certificate
-----BEGIN CERTIFICATE-----
{...snip...}
-----END CERTIFICATE-----
subject={snip}
No client certificate CA names sent
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: {snip}
Session-ID-ctx:
Master-Key: {snip}
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1573671407
Timeout : 300 (sec)
Is there any configuration in TA-DMARC that may have an effect on this issue or should I be looking elsewhere in SPLUNK? Any pointers or hints with this issue would be appreciated.
TLSv1.0 is not supported out-of-the box.
To support older exchange boxes like yours, change line 55 of imap2dir.py
:
https://github.com/jorritfolmer/TA-dmarc/blob/master/bin/dmarc/imap2dir.py#L55