All Apps and Add-ons

TA-DMARC TLS Version Error

New Member

When attempting to add an input for TA-DMARC, I am receiving the following error:

Error connecting to {imap.hostname.tld} with exception [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:741)


TLS is working on the IMAP host on port 993:

sslscan {imap.hostname.tld}:993
Version: 1.11.13-static
OpenSSL 1.0.2-chacha (1.0.2g-dev)

Connected to {ip.address}

Testing SSL server {imap.hostname.tld} on port 993 using SNI name {imap.hostname.tld}

TLS Fallback SCSV:
Server only supports TLSv1.0

TLS renegotiation:
Secure session renegotiation supported

TLS Compression:
Compression disabled

Heartbleed:
TLS 1.2 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.0 not vulnerable to heartbleed

Supported Server Cipher(s):
Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-521 DHE 521
Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-521 DHE 521
Accepted TLSv1.0 256 bits AES256-SHA
Accepted TLSv1.0 128 bits AES128-SHA
Accepted TLSv1.0 112 bits DES-CBC3-SHA

SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength: 2048

Subject: {imap.hostname.tld}
Altnames: DNS:{imap.hostname.tld}, {snip}
Issuer: DigiCert SHA2 Secure Server CA

Not valid before: May 31 00:00:00 2017 GMT
Not valid after: Aug 3 12:00:00 2020 GMT


And the SPLUNK instance is able to connect to the IMAP server via TLS 1.0 on port 993:

$SPLUNK_HOME/bin/splunk cmd openssl s_client -connect {imap.hostname.tld}:993
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA

verify error:num=20:unable to get local issuer certificate

Certificate chain
0 s:{snip}
i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA

i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA

Server certificate
-----BEGIN CERTIFICATE-----
{...snip...}
-----END CERTIFICATE-----
subject={snip}

issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA

No client certificate CA names sent

Server Temp Key: ECDH, P-521, 521 bits

SSL handshake has read 3143 bytes and written 508 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: {snip}
Session-ID-ctx:
Master-Key: {snip}
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1573671407
Timeout : 300 (sec)

Verify return code: 20 (unable to get local issuer certificate)

  • OK The Microsoft Exchange IMAP4 service is ready.

Is there any configuration in TA-DMARC that may have an effect on this issue or should I be looking elsewhere in SPLUNK? Any pointers or hints with this issue would be appreciated.

0 Karma

Path Finder

TLSv1.0 is not supported out-of-the box.
To support older exchange boxes like yours, change line 55 of imap2dir.py:

https://github.com/jorritfolmer/TA-dmarc/blob/master/bin/dmarc/imap2dir.py#L55

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!