CentOS 8 Openssl problem

Issues related to applications and software problems and general support
rdvjack
Posts: 6
Joined: 2020/07/25 01:17:42

CentOS 8 Openssl problem

Post by rdvjack » 2020/07/25 01:22:56

On my Apache/2.4.37 server I use PHP 7.4.8 and OpenSSL 1:1.1.1c-15.el8 but when I use fockopen on smtp.gmail.com(I tried both ports: 465 and 587) I get this error:

Code: Select all

Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages: error:1408F10B:SSL routines:ssl3_get_record:wrong version number in /var/www/public_html/mail.php on line 9
Warning: fsockopen(): Failed to enable crypto in /var/www/public_html/mail.php on line 9
Warning: fsockopen(): unable to connect to tls://smtp.gmail.com:587 (Unknown error) in /var/www/public_html/mail.php on line 9
How can i fix this issue?

rdvjack
Posts: 6
Joined: 2020/07/25 01:17:42

Re: CentOS 8 Openssl problem

Post by rdvjack » 2020/07/25 05:57:57

Can be from a system update? Because I had openssl-1.1.1c-2.el8, and was no problem using fsockopen on smtp.gmail.com.

User avatar
TrevorH
Forum Moderator
Posts: 29471
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CentOS 8 Openssl problem

Post by TrevorH » 2020/07/25 11:34:18

What's the output from aureport -a ? Any entries timestamped near the time you last tried this?
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

rdvjack
Posts: 6
Joined: 2020/07/25 01:17:42

Re: CentOS 8 Openssl problem

Post by rdvjack » 2020/07/26 14:15:59

The output is:

Code: Select all

<no events of interest were found>

aks
Posts: 3022
Joined: 2014/09/20 11:22:14

Re: CentOS 8 Openssl problem

Post by aks » 2020/07/27 18:16:21

Sure you're doing the right thing?
Here's what I get:

$ openssl s_client -connect smtp.gmail.com:465 -tls1_2
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
....

$ openssl s_client -connect smtp.gmail.com:587 -tls1_2
CONNECTED(00000003)
140321125058368:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:331:
....
(that error looks a lot like yours).

rdvjack
Posts: 6
Joined: 2020/07/25 01:17:42

Re: CentOS 8 Openssl problem

Post by rdvjack » 2020/07/27 21:50:44

Using this command i'm using ipv6 connection

Code: Select all

echo QUIT | openssl s_client -debug -crlf -starttls smtp -connect smtp.gmail.com:587
and I get:

Code: Select all

CONNECTED(00000003)
read from 0x55979b0a2260 [0x55979b0abe90] (4096 bytes => 48 (0x30))
0000 - 34 32 31 20 34 2e 37 2e-30 20 54 72 79 20 61 67   421 4.7.0 Try ag
0010 - 61 69 6e 20 6c 61 74 65-72 2c 20 63 6c 6f 73 69   ain later, closi
0020 - 6e 67 20 63 6f 6e 6e 65-63 74 69 6f 6e 2e 0d 0a   ng connection...
write to 0x55979b0a2260 [0x55979b0acea0] (23 bytes => 23 (0x17))
0000 - 45 48 4c 4f 20 6d 61 69-6c 2e 65 78 61 6d 70 6c   EHLO mail.exampl
0010 - 65 2e 63 6f 6d 0d 0a                              e.com..
read from 0x55979b0a2260 [0x55979b0abe90] (4096 bytes => 0 (0x0))
Didn't find STARTTLS in server response, trying anyway...
write to 0x55979b0a2260 [0x7ffd650340a0] (10 bytes => 10 (0xA))
0000 - 53 54 41 52 54 54 4c 53-0d 0a                     STARTTLS..
read from 0x55979b0a2260 [0x55979afd4410] (8192 bytes => 0 (0x0))
write to 0x55979b0a2260 [0x55979b0ba610] (322 bytes => 322 (0x142))
0000 - 16 03 01 01 3d 01 00 01-39 03 03 99 34 b9 dc fd   ....=...9...4...
0010 - 8f d1 fc 68 40 14 ab 46-eb fb 0b 9f 0c 02 10 e5   ...h@..F........
0020 - 04 ce 0d 70 60 b7 81 bd-54 47 56 20 81 98 61 4e   ...p`...TGV ..aN
0030 - a9 e0 36 8a 71 52 3a eb-d4 55 ef dc c7 f9 d8 41   ..6.qR:..U.....A
0040 - 7c 64 30 14 9c 02 dc 6d-52 e8 ce 27 00 48 13 02   |d0....mR..'.H..
0050 - 13 03 13 01 13 04 c0 2c-c0 30 cc a9 cc a8 c0 ad   .......,.0......
0060 - c0 2b c0 2f c0 ac c0 23-c0 27 c0 0a c0 14 c0 09   .+./...#.'......
0070 - c0 13 00 9d c0 9d 00 9c-c0 9c 00 3d 00 3c 00 35   ...........=.<.5
0080 - 00 2f 00 9f cc aa c0 9f-00 9e c0 9e 00 6b 00 67   ./...........k.g
0090 - 00 39 00 33 00 ff 01 00-00 a8 00 00 00 13 00 11   .9.3............
00a0 - 00 00 0e 73 6d 74 70 2e-67 6d 61 69 6c 2e 63 6f   ...smtp.gmail.co
00b0 - 6d 00 0b 00 04 03 00 01-02 00 0a 00 0c 00 0a 00   m...............
00c0 - 1d 00 17 00 1e 00 19 00-18 00 23 00 00 00 16 00   ..........#.....
00d0 - 00 00 17 00 00 00 0d 00-30 00 2e 04 03 05 03 06   ........0.......
00e0 - 03 08 07 08 08 08 09 08-0a 08 0b 08 04 08 05 08   ................
00f0 - 06 04 01 05 01 06 01 03-03 02 03 03 01 02 01 03   ................
0100 - 02 02 02 04 02 05 02 06-02 00 2b 00 05 04 03 04   ..........+.....
0110 - 03 03 00 2d 00 02 01 01-00 33 00 26 00 24 00 1d   ...-.....3.&.$..
0120 - 00 20 1c e0 83 0a 93 b4-95 26 77 5b 2e 45 bd 1d   . .......&w[.E..
0130 - a6 0c 2a 84 17 cb f0 f6-92 cd f9 c6 71 16 a3 b1   ..*.........q...
0140 - 20 75                                              u
read from 0x55979b0a2260 [0x55979b0b13f3] (5 bytes => 0 (0x0))
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 48 bytes and written 355 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
read from 0x55979b0a2260 [0x55979afd4410] (8192 bytes => 0 (0x0))
But if i use the same command but on ipv4 connection

Code: Select all

echo QUIT | openssl s_client -4 -debug -crlf -starttls smtp -connect smtp.gmail.com:587
I get this:

Code: Select all

CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = smtp.gmail.com
verify return:1
Certificate chain
 0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = smtp.gmail.com
   i:C = US, O = Google Trust Services, CN = GTS CA 1O1
 1 s:C = US, O = Google Trust Services, CN = GTS CA 1O1
   i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
  subject=C = US, ST = California, L = Mountain View, O = Google LLC, CN = smtp.gmail.com

issuer=C = US, O = Google Trust Services, CN = GTS CA 1O1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2889 bytes and written 435 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
250 SMTPUTF8
DONE

aks
Posts: 3022
Joined: 2014/09/20 11:22:14

Re: CentOS 8 Openssl problem

Post by aks » 2020/07/29 17:38:20

I'm not using starttls (i,.e.: "upgrade this to secure").
Perhaps that's the issue?

chemal
Posts: 692
Joined: 2013/12/08 19:44:49

Re: CentOS 8 Openssl problem

Post by chemal » 2020/07/29 20:40:37

That's certainly an issue when trying to connect to smtp.gmail.com on port 587. Trying to connect with tls right away doesn't work. You need to make a normal connection first which can then be ugraded with starttls. And if I understand this php stuff correctly, tls://smtp.gmail.com:587 means connect with tls right away. That only works on port 465.

rdvjack
Posts: 6
Joined: 2020/07/25 01:17:42

Re: CentOS 8 Openssl problem

Post by rdvjack » 2020/07/30 12:56:12

chemal wrote:
2020/07/29 20:40:37
That's certainly an issue when trying to connect to smtp.gmail.com on port 587. Trying to connect with tls right away doesn't work. You need to make a normal connection first which can then be ugraded with starttls. And if I understand this php stuff correctly, tls://smtp.gmail.com:587 means connect with tls right away. That only works on port 465.
I don't think so, why I can send the mail using ipv4? I should get the same error on ipv4 and ipv6, but the error only occurs on ipv6.

aks
Posts: 3022
Joined: 2014/09/20 11:22:14

Re: CentOS 8 Openssl problem

Post by aks » 2020/07/30 17:36:00

Does IPv6 work without the starttls?

Post Reply

Return to “CentOS 8 - General Support”