- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: TA-DMARC TLS Version Error
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TA-DMARC TLS Version Error
When attempting to add an input for TA-DMARC, I am receiving the following error:
Error connecting to {imap.hostname.tld} with exception [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:741)
TLS is working on the IMAP host on port 993:
sslscan {imap.hostname.tld}:993
Version: 1.11.13-static
OpenSSL 1.0.2-chacha (1.0.2g-dev)
Connected to {ip.address}
Testing SSL server {imap.hostname.tld} on port 993 using SNI name {imap.hostname.tld}
TLS Fallback SCSV:
Server only supports TLSv1.0
TLS renegotiation:
Secure session renegotiation supported
TLS Compression:
Compression disabled
Heartbleed:
TLS 1.2 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.0 not vulnerable to heartbleed
Supported Server Cipher(s):
Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-521 DHE 521
Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-521 DHE 521
Accepted TLSv1.0 256 bits AES256-SHA
Accepted TLSv1.0 128 bits AES128-SHA
Accepted TLSv1.0 112 bits DES-CBC3-SHA
SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength: 2048
Subject: {imap.hostname.tld}
Altnames: DNS:{imap.hostname.tld}, {snip}
Issuer: DigiCert SHA2 Secure Server CA
Not valid before: May 31 00:00:00 2017 GMT
Not valid after: Aug 3 12:00:00 2020 GMT
And the SPLUNK instance is able to connect to the IMAP server via TLS 1.0 on port 993:
$SPLUNK_HOME/bin/splunk cmd openssl s_client -connect {imap.hostname.tld}:993
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify error:num=20:unable to get local issuer certificate
Certificate chain
0 s:{snip}
i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
Server certificate
-----BEGIN CERTIFICATE-----
{...snip...}
-----END CERTIFICATE-----
subject={snip}
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
No client certificate CA names sent
Server Temp Key: ECDH, P-521, 521 bits
SSL handshake has read 3143 bytes and written 508 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: {snip}
Session-ID-ctx:
Master-Key: {snip}
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1573671407
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
- OK The Microsoft Exchange IMAP4 service is ready.
Is there any configuration in TA-DMARC that may have an effect on this issue or should I be looking elsewhere in SPLUNK? Any pointers or hints with this issue would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TLSv1.0 is not supported out-of-the box.
To support older exchange boxes like yours, change line 55 of imap2dir.py:
https://github.com/jorritfolmer/TA-dmarc/blob/master/bin/dmarc/imap2dir.py#L55
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
