Bug#926900: sslv3 alert illegal parameter

To: Sandro Tosi <morph@debian.org>
Cc: 926900@bugs.debian.org
Subject: Bug#926900: sslv3 alert illegal parameter
From: Laurent Bigonville <bigon@debian.org>
Date: Fri, 26 Jan 2024 10:38:10 +0100
Message-id: <[🔎] 857f0404-67e5-4cd6-9460-248e78bbbc10@debian.org>
Reply-to: Laurent Bigonville <bigon@debian.org>, 926900@bugs.debian.org
In-reply-to: <248e05de-8420-1ff0-f5f3-05671a05b5ea@outerface.net>
References: <248e05de-8420-1ff0-f5f3-05671a05b5ea@outerface.net> <248e05de-8420-1ff0-f5f3-05671a05b5ea@outerface.net> <248e05de-8420-1ff0-f5f3-05671a05b5ea@outerface.net>

When looking at the documentation of smtplib (the python library used here), it says:

An SMTP_SSL instance behaves exactly the same as instances of SMTP.
SMTP_SSL should be used for situations where SSL is required from the beginning of the connection and using starttls() is not appropriate.
If host is not specified, the local host is used. If port is zero, the standard SMTP-over-SSL port (465) is used.

So that means that SMTP_SSL is used for connections where SSL is present from the start and not when STARTTLS is used to upgrade the connection to a secure one.

The documentation of reportbug says: smtptls: Enables TLS encryption for the SMTP connection, using STARTTLS. This setting is ignored if you connect to port 465, in which case SSL/TLS will always be used.

So either the documentation is wrong, of the code is.

The following python code works:

>>> smtp = smtplib.SMTP('mail-submit.debian.org',587)
>>> smtp.ehlo()
(250, b'stravinsky.debian.org Hello eriador.bigon.be [2a02:a03f:65c5:3301:a912:aba9:d92d:4965]\nSIZE 104857600\n8BITMIME\nCHUNKING\nSTARTTLS\nSMTPUTF8\nHELP')
>>> smtp.starttls()
(220, b'TLS go ahead')
>>> smtp.quit()
(221, b'stravinsky.debian.org closing connection')
>>>

While this is not:

>>> smtplib.SMTP_SSL('mail-submit.debian.org',587)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.11/smtplib.py", line 1050, in __init__
    SMTP.__init__(self, host, port, local_hostname, timeout,
  File "/usr/lib/python3.11/smtplib.py", line 255, in __init__
    (code, msg) = self.connect(host, port)
                  ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/smtplib.py", line 341, in connect
    self.sock = self._get_socket(host, port, self.timeout)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/smtplib.py", line 1057, in _get_socket
    new_socket = self.context.wrap_socket(new_socket,
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/ssl.py", line 517, in wrap_socket
    return self.sslsocket_class._create(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/ssl.py", line 1108, in _create
    self.do_handshake()
  File "/usr/lib/python3.11/ssl.py", line 1383, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1006)
>>>

Reply to:

Follow-Ups:
- Bug#926900: sslv3 alert illegal parameter
  - From: Laurent Bigonville <bigon@debian.org>

Prev by Date: Bug#926900: Processed: severity of 926900 is serious
Next by Date: Bug#926900: sslv3 alert illegal parameter
Previous by thread: Bug#926900: Processed: severity of 926900 is serious
Next by thread: Bug#926900: sslv3 alert illegal parameter
Index(es):
- Date
- Thread