All Apps and Add-ons

TA-DMARC TLS Version Error

New Member

When attempting to add an input for TA-DMARC, I am receiving the following error:

Error connecting to {imap.hostname.tld} with exception [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:741)


TLS is working on the IMAP host on port 993:

sslscan {imap.hostname.tld}:993
Version: 1.11.13-static
OpenSSL 1.0.2-chacha (1.0.2g-dev)

Connected to {ip.address}

Testing SSL server {imap.hostname.tld} on port 993 using SNI name {imap.hostname.tld}

TLS Fallback SCSV:
Server only supports TLSv1.0

TLS renegotiation:
Secure session renegotiation supported

TLS Compression:
Compression disabled

Heartbleed:
TLS 1.2 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.0 not vulnerable to heartbleed

Supported Server Cipher(s):
Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve P-521 DHE 521
Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-521 DHE 521
Accepted TLSv1.0 256 bits AES256-SHA
Accepted TLSv1.0 128 bits AES128-SHA
Accepted TLSv1.0 112 bits DES-CBC3-SHA

SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength: 2048

Subject: {imap.hostname.tld}
Altnames: DNS:{imap.hostname.tld}, {snip}
Issuer: DigiCert SHA2 Secure Server CA

Not valid before: May 31 00:00:00 2017 GMT
Not valid after: Aug 3 12:00:00 2020 GMT


And the SPLUNK instance is able to connect to the IMAP server via TLS 1.0 on port 993:

$SPLUNK_HOME/bin/splunk cmd openssl s_client -connect {imap.hostname.tld}:993
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA

verify error:num=20:unable to get local issuer certificate

Certificate chain
0 s:{snip}
i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA

i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA

Server certificate
-----BEGIN CERTIFICATE-----
{...snip...}
-----END CERTIFICATE-----
subject={snip}

issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA

No client certificate CA names sent

Server Temp Key: ECDH, P-521, 521 bits

SSL handshake has read 3143 bytes and written 508 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: {snip}
Session-ID-ctx:
Master-Key: {snip}
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1573671407
Timeout : 300 (sec)

Verify return code: 20 (unable to get local issuer certificate)

  • OK The Microsoft Exchange IMAP4 service is ready.

Is there any configuration in TA-DMARC that may have an effect on this issue or should I be looking elsewhere in SPLUNK? Any pointers or hints with this issue would be appreciated.

0 Karma

Path Finder

TLSv1.0 is not supported out-of-the box.
To support older exchange boxes like yours, change line 55 of imap2dir.py:

https://github.com/jorritfolmer/TA-dmarc/blob/master/bin/dmarc/imap2dir.py#L55

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!