0

I've been reading many different blog posts and articles over the past hour but none have helped me understand why this command without -starttls:

openssl s_client -crlf -connect mail.example.org:993

results in:

CONNECTED(00000003)
depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=mail.example.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFXDCCBESgAwIBAgISA6BCMzfycJZwD95pvt+RnRZ7MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDEwMDYwOTU3MDRaFw0y
MTAxMDQwOTU3MDRaMB0xGzAZBgNVBAMTEm1haWwuc21hcnRsdTYzLm9yZzCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO0ZmXuFsh5dqlsefcS7r/u6wwvF
YzGOiiQYP7LVWiMj1LOPtu3HULXHW6OaxUKARhguXCdp5LP23wrViX/pKbGXJPTS
+0mRNfFqmnoo6haCGPNH13JZJc9YlYBFQOd6KiiZ8jVBzN+pFZQO2YYh/JazJKy6
vmEpT5x+P5+MxFZqG6l71lCOY0YrxCElV5TJCezRdULc9h8SJwKPAst7nTZK8KA2
gmA8S6OEFJfP0BUV937gol0aPL8vMOvfkNWL3dmkjGmWERC4J4TAm5l0No/L+U67
jqb+Mjd7dpPFo0P6g6ug/IL4HpdMxF5QVY7/axLFTI6YzdBt5ffmMfnwRmkCAwEA
AaOCAmcwggJjMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUW7Lmg7fju54qwQlS/M6i
FWUE2C8wHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUH
AQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5
cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5
cHQub3JnLzAdBgNVHREEFjAUghJtYWlsLnNtYXJ0bHU2My5vcmcwTAYDVR0gBEUw
QzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDov
L2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgBE
lGUusO7Or8RAB9io/ijA2uaCvtjLMbU/0zOWtbaBqAAAAXT9jr8uAAAEAwBHMEUC
IQCc6wmv/LUsEFfK//Ap+36tCPPggYdSHdWbLcoJqQshHQIgbQFkBHePl3H3F+8m
T9rgVzra9njr4ZUjWfTb4KtAfFAAdgD2XJQv0XcwIhRUGAgwlFaO400TGTO/3wwv
IAvMTvFk4wAAAXT9jr8lAAAEAwBHMEUCIHON5YkbmUoa8vt3I14M4GtES63E1N4v
puoNDhBwz6oaAiEAy6Sasqsu5D/jTxNgT8OXACaH5+C4Zg1nzm+j3KdNI5AwDQYJ
KoZIhvcNAQELBQADggEBAIGKw4w+Mfji2KNKGCO/K7BVVX3zueBgSt/EHlecI/s2
4z5BFmd5bOuylH4lBSZgt12RrqPO1tz5IJbtfoiXRMstYEOAOhZHFDIhzMAYdS9K
sbAKcisJiDmro51Rt7slu1gRPipwWUfKIeRXU3HrYudctLZCLyVe8M/VaG9elFay
lDcvMsd0PH/EN8obxNSPyb2wradgx3maVT6UmS6DXmQIO24KZLppOk6K+8Jxbyfh
B1aMeqcyxhOQjLVwahaq56z+XzVP1QiyQFzsyRMKxTUyJpwWIZpImrM8+F5dxDVa
cK6XksCoGAoohgSX6zF6Aw2Gl4qTZN7xvRiI6FOg8u4=
-----END CERTIFICATE-----
subject=/CN=mail.example.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 4020 bytes and written 712 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: C1697F148A98513C69BA6D10E28E5B094BD80ADAF05C480658F294D71BD15AD7
    Session-ID-ctx:
    Master-Key: 4626C9E4F276AB077457DB574C181F3779207A228779204E325BF747AC6E487CFD0D79847CFD5B7E07DFB02C67DC4165
    Key-Arg   : None
    Start Time: 1602799379
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot (Debian) ready.

But this command with starttls:

openssl s_client -starttls imap -crlf -connect mail.example.org:993

results in just:

CONNECTED(00000003)

And then just kind of hangs and there doesn't seem to be a wy to interact with imap.

How do I properly test port 993 to determine if 1) I have explicit or implicit TLS? and 2) determine whether STARTTLS is enabled and working if it is set to explicit?

StevieD
  • 514
  • 8
  • 24

2 Answers2

0

Port 993 is defined as IMAP over TLS, i.e. implicit TLS. This port must always answer with a TLS handshake. STARTTLS may be used on the unencrypted port 143, but it's best practice to not serve this port at all. See RFC 8314 for further information on this.

Community
  • 1
Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • Right, but how do I determine if I have dovecot set up properly? I want implicit tls so that tls is always on. – StevieD Oct 15 '20 at 22:21
  • What I'm confused by is `-starttls imap` works fine on port 143, but not on 993. What setting in dovecot controls whether starttls is on or off on a port? – StevieD Oct 15 '20 at 22:28
  • @StevieD Of course it does. Though it would help if I wrote the correct port number in the answer. As for dovecot, these are the defaults for those services, and you can find them commented out in the configuration. Actually changing them is not a good idea, of course. – Michael Hampton Oct 15 '20 at 22:36
  • Right, but I just want to be absolutely certain I didn't break things while configuring dovecot. I'm new to this and it's confusing as hell. I don't know why `-starttls imap` on port 993 causes the server to respond with a simple `CONNECTED(000000003)` and then hangs. Makes me worried I got something wrong. – StevieD Oct 15 '20 at 22:53
  • And yeah, my intention is to not run port 143. I just turned it back on to see what happens when I did STARTTLS on it. – StevieD Oct 15 '20 at 22:55
  • If I do the same thing with gmail with `openssl s_client -crlf -connect imap.gmail.com:993 -starttls imap`, I get: ``CONNECTED(00000003) didn't found STARTTLS in server response, try anyway... 17530:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-80/src/ssl/s23_lib.c:185:` – StevieD Oct 15 '20 at 22:58
  • 1
    It responds that way, or more specifically doesn't respond at all, because that port doesn't use STARTTLS. It's expecting a TLS handshake, which you aren't sending. – Michael Hampton Oct 15 '20 at 23:07
0

You have already properly tested it! Everything is as expected:

  • The openssl s_client -crlf -connect mail.example.org:993 test for implicit TLS as defined in RFC 8314, 3. This succeeds, so implicit TLS is used on port 993.
  • The openssl s_client -starttls imap -crlf -connect mail.example.org:993 with -starttls imap test for STARTTLS. It fails, because STARTTLS is not in use on port 993.

STARTTLS might be used on port 143, as explained in the answer from Michael Hampton. However, it would be against the recommendation on RFC 8314.

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129