#23 ssl handshake failure is not reported

[James Nguyen]

Using something ilke this in my mbsyncrc.

# work
IMAPAccount work
Host outlook.office365.com
Port 993
User james@placeholder.net
PassCmd "passcommand"
SSLType IMAPS
AuthMechs LOGIN
SSLVersions SSLv3
CertificateFile /usr/local/etc/openssl/cert.pem

IMAPStore work-remote
Account work

MaildirStore work-local
Path ~/Mail/work/
Inbox ~/Mail/work/inbox

Channel work
Master :work-remote:
Slave :work-local:
Patterns "*"
Create Slave
Sync All
Expunge Both
SyncState *

mbsync -D work always returns

Reading configuration file /Users/james/.mbsyncrc
Channel work
Opening master store work-remote...
Resolving outlook.office365.com... ok
Connecting to outlook.office365.com ([2a01:111:f400:5177::2]:993)...
Opening slave store work-local...
pattern '*' (effective '*'): Path, no INBOX
got mailbox list from slave:
IMAP error: unexpected EOF from outlook.office365.com ([2a01:111:f400:5177::2]:993)

[Oswald Buddenhagen]

please use -Dn instead of -D.

[James Nguyen]

Not sure if I'm supposed to do anything with the diff above. Here's -Dn as well as -D again without changing any configuration.

james at jamesretina in ~ ○ mbsync -Dn work
Reading configuration file /Users/james/.mbsyncrc
Channel work
Opening master store work-remote...
Resolving outlook.office365.com... ok
Connecting to outlook.office365.com ([2a01:111:f400:142a::2]:993)...
Opening slave store work-local...
IMAP error: unexpected EOF from outlook.office365.com ([2a01:111:f400:142a::2]:993)

james at jamesretina in ~ ○ mbsync -D work
Reading configuration file /Users/james/.mbsyncrc
Channel work
Opening master store work-remote...
Resolving outlook.office365.com... ok
Connecting to outlook.office365.com ([2a01:111:f400:505a::2]:993)...
Opening slave store work-local...
pattern '' (effective ''): Path, no INBOX
got mailbox list from slave:
IMAP error: unexpected EOF from outlook.office365.com ([2a01:111:f400:505a::2]:993)

[Oswald Buddenhagen]

right, i was being stupid - -D implies -Dn anway.

so what we're seeing is that the server immediately drops the connection after it is established, possibly during ssl negotiation.
to verify whether the problem is with ssl, try playing with openssl s_client.
an alternative explanation would be that it's related to ipv6. i can't think of a simple way to verify that with mbsync itself other than a) recompiling mbsync without ipv6 support or b) using a dns proxy which returns no AAAA records (i actually have such a config).

[James Nguyen]

james at jamesretina in ~ ○ openssl s_client -connect outlook.office365.com:993 -crlf
CONNECTED(00000003)
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, OU = Microsoft IT, CN = Microsoft IT SSL SHA2
verify return:1
depth=0 C = US, ST = WA, L = Redmond, O = Microsoft Corporation, OU = Microsoft Corporation, CN = outlook.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=WA/L=Redmond/O=Microsoft Corporation/OU=Microsoft Corporation/CN=outlook.com
   i:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2
 1 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2
   i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIH3DCCBcSgAwIBAgITWgACDkKJ54xpWEiewQABAAIOQjANBgkqhkiG9w0BAQsF
ADCBizELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT
B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEVMBMGA1UE
CxMMTWljcm9zb2Z0IElUMR4wHAYDVQQDExVNaWNyb3NvZnQgSVQgU1NMIFNIQTIw
HhcNMTUxMDEzMjIyMDA0WhcNMTcxMDEyMjIyMDA0WjCBgjELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAldBMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3Nv
ZnQgQ29ycG9yYXRpb24xHjAcBgNVBAsTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEU
MBIGA1UEAxMLb3V0bG9vay5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDk/8ftuN2cH6i5FxI/CsvuILSy8G2eOknbQS32Fm55uosydk7oAlikv4g8
B9roHka5Sv7qBtaf9pDFdR4Yx3LgqSZl/ulYdpTlVFSbaYehQxx6CZzXmhSwk9ce
B6SxmqHP6XeTj/J/rbAEvEoQN62o/kIU9huX0aPx74NthU2HV89YtHuTJ1c5uPf9
vsN7tATRcgKYgPQW9EvK29Yj9Z8boEKam0gmm1Wi8RGRfKdtYjV9vKTBaNLxv4W1
vkV8eG4lhqspa9EejUwu+TsPb1k+W8dHAy3Sq/yfJVmIGAv7hr91hWdQAqpFoER3
eNmZ/h2fUcXmQXeyxryNsB+Lm3jnAgMBAAGjggM+MIIDOjALBgNVHQ8EBAMCBLAw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHgGCSqGSIb3DQEJDwRrMGkw
DgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgIAgDALBglghkgBZQMEASowCwYJ
YIZIAWUDBAEtMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUwBwYFKw4DAgcwCgYI
KoZIhvcNAwcwHQYDVR0OBBYEFJ2wmBwkWtSd7VFTxNf2urGNe5APMB8GA1UdIwQY
MBaAFFGvJCac9GgiV4AmKztGYhV7HsylMH0GA1UdHwR2MHQwcqBwoG6GNmh0dHA6
Ly9tc2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3JsL21zaXR3d3cyLmNy
bIY0aHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3JsL21zaXR3
d3cyLmNybDBwBggrBgEFBQcBAQRkMGIwPAYIKwYBBQUHMAKGMGh0dHA6Ly93d3cu
bWljcm9zb2Z0LmNvbS9wa2kvbXNjb3JwL21zaXR3d3cyLmNydDAiBggrBgEFBQcw
AYYWaHR0cDovL29jc3AubXNvY3NwLmNvbTBOBgNVHSAERzBFMEMGCSsGAQQBgjcq
ATA2MDQGCCsGAQUFBwIBFihodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL21z
Y29ycC9jcHMAMCcGCSsGAQQBgjcVCgQaMBgwCgYIKwYBBQUHAwEwCgYIKwYBBQUH
AwIwgecGA1UdEQSB3zCB3IILb3V0bG9vay5jb22CDSoub3V0bG9vay5jb22CDW9m
ZmljZTM2NS5jb22CDyoub2ZmaWNlMzY1LmNvbYIKKi5saXZlLmNvbYIWKi5pbnRl
cm5hbC5vdXRsb29rLmNvbYIXKi5vdXRsb29rLm9mZmljZTM2NS5jb22CEm91dGxv
b2sub2ZmaWNlLmNvbYIdYXR0YWNobWVudC5vdXRsb29rLm9mZmljZS5uZXSCIGF0
dGFjaG1lbnQub3V0bG9vay5vZmZpY2VwcGUubmV0ggwqLm9mZmljZS5jb20wDQYJ
KoZIhvcNAQELBQADggIBAA1MnIS+r3GyiJjg2+Zsx7q94z48ovRQJqIG6/c7UUzK
6tEFkIepADfLszI+y4dYG7GP1j9e6K2a1StF2/tEjF21IA6NS/ITiOFXoStLQZ4T
I1Sb3IIQoOeWchtYf2KIQXYvQJutWuzp1gcRUH3xuHxKr+TFlIicWqQccnBYzUqV
dm92IhlHqdjT4kKIYjPDXEy+GMeh9+h2CVAgitsuZHfVL9V8ik3trkh6prGotca/
JZ06cKr7CWL/Yz0zNKkjvvTF/pJ6m4UvkuhSJoaZYU4Rj3jjWqj1IrP6pDsc99Yd
5HkUSkUq4xN8yhDuMDEKUQ/IjRTx1znWLzTELwZeRvDk2t4xXFJIsGxm8j1aL7+O
xXxrpM7hD71omQaxNa+4nYUuBDePp/1Ac/z7S2EPgRC/GMJ/UNcKfD/Hat8o1AP7
YT7RYF7GSqSxcEGKVhck5YAaQsbjjNdrx8N3Wo0qvu/BvJRGU79SvWgJAEfpbQFj
qF3x1NR+mlEriTuujqAehX8QYdTwKNLMJSF5ZickGNCi+klBAd1kmvTdY3wf3KYL
BQfUVkga1eLoqmWrPLFYhz8QFLF/GNiLkARIguAMZV77vc0Hl9UhN2wyEnBrfjmO
dZKD/3bIMhW1l49oCkxhFki3ED9xNPD0xEBPW72bx0HyYp7Ch/1s3XZR/IfFaKDB
-----END CERTIFICATE-----
subject=/C=US/ST=WA/L=Redmond/O=Microsoft Corporation/OU=Microsoft Corporation/CN=outlook.com
issuer=/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2
---
No client certificate CA names sent
Peer signing digest: SHA1
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 4009 bytes and written 532 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: somestringofletters+numbers
    Session-ID-ctx:
    Master-Key: somestringofletters+numbers
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1461447366
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

* OK The Microsoft Exchange IMAP4 service is ready. [sometstringoflettershere==]
* BYE Connection is closed. 13
read:errno=0

There's a long period of time before the '* BYE Connection is closed. 13' happens. ~30seconds to a minute.

Also tried this command. Same/Similar results as above.
$ openssl s_client -connect outlook.office365.com:993

I tried cloning
$ git clone http://git.code.sf.net/p/isync/isync isync-isync

and building off of master but get this error when running autogen. (Using OSX).

james at jamesretina in ~/Developer/isync-isync on master± ./autogen.sh
make -f Makefile.am log
Can't locate Date/Parse.pm in @INC (@INC contains: /Applications/XAMPP/xamppfiles/lib/perl5/5.10.1/darwin-2level /Applications/XAMPP/xamppfiles/lib/perl5/5.10.1 /Applications/XAMPP/xamppfiles/lib/perl5/site_perl/5.10.1/darwin-2level /Applications/XAMPP/xamppfiles/lib/perl5/site_perl/5.10.1 .) at -e line 1.
BEGIN failed--compilation aborted at -e line 1.
make: *** [log] Error 2

Otherwise, I'd be happy to try to get mbsync built and running without ipv6. (I'm assuming there's already some flag I can disable in configure to get a binary built without ipv6).

[Oswald Buddenhagen]

hmm, openssl gives no indication whether it is using ipv4 or ipv6. please figure it out.

for the missing perl module, try cpan Date::Parse.

there is no configure option to disable ipv6, so you need to edit config.h (delete HAVE_IPV6), make clean, make.

[James Nguyen]

I modified configure.ac and deleted where HAVE_IPV6 is defined.

Deleted below.

have_ipv6=true

if $have_ipv6; then
    AC_DEFINE(HAVE_IPV6, 1, [if your libc has IPv6 support])
fi

Steps to do install afterwards.

$ ./configure
$ make clean
$ make install

james at jamesretina in ~ ○ mbsync -v
isync 1.3.0

james at jamesretina in ~ ○ mbsync -D work
Reading configuration file /Users/james/.mbsyncrc
Channel work
Opening master store work-remote...
Resolving outlook.office365.com... ok
Connecting to outlook.office365.com (132.245.92.242:993)...
Opening slave store work-local...
pattern '*' (effective '*'): Path, no INBOX
got mailbox list from slave:
IMAP error: unexpected EOF from outlook.office365.com (132.245.92.242:993)

james at jamesretina in ~ ○

Also, not sure if more info will help but I also tried using offlineimap to see if a connection could be maintained. It did seem to keep a connection/download messages but definitely lots of UIValidity errors upon syncing. Included simple offineimaprc file.

[general]
accounts = work

[Account work]
localrepository = work-local
remoterepository = work-remote
# Status cache. Default is plain, which eventually becomes huge and slow.
status_backend = sqlite

[Repository work-local]
type = Maildir
localfolders = ~/imap/wor
nametrans = lambda folder: {'inbox': 'INBOX',
                            }.get(folder, folder)

[Repository work-remote]
maxconnections = 4
type = IMAP
ssl = yes
sslcacertfile = /usr/local/etc/openssl/cert.pem
remotehost = outlook.office365.com
remoteuser = james@placeholdermail.net
remotepasseval = "placeholderpassword"
remoteport = 993

[Oswald Buddenhagen]

uhm, now that i look again, i'm fairly sure that this is your problem:

SSLVersions SSLv3

why the @%$@$ ...?!

[James Nguyen]

Yeah, wasn't sure if my config is correct. What should I change?

[Oswald Buddenhagen]

just delete the line.

[James Nguyen]

Thanks! Working for me now. Definitely a 'doh' moment. I had that very line in my gmail config also and it didn't seem to harm anything so I never suspected it.

[Oswald Buddenhagen]

that's because sslv3 has been found terminally insecure only somewhat recently, and some servers still didn't disable it.

i tried it with openssl:

openssl s_client -connect outlook.office365.com:993 -crlf  -no_tls1_2 -no_tls1_1 -no_tls1
CONNECTED(00000003)
140521656010392:error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol:s23_clnt.c:735:
[...]

so it appears that there should be some report, and mbsync just fails to make one. this definitely should be fixed.

[Oswald Buddenhagen]

i tried a few times, but i always get a proper error message:

Socket error: secure connect to outlook.office365.com (40.101.1.82:993): error:14077102:SSL routines:SSL23_GET_SERVER_HELLO:unsupported protocol

maybe there is still a race condition in the error path, even though i thought i fixed all related problems shortly before the 1.2.0 release ...

[James Nguyen]

Is there anything I can do to help with this?

[Oswald Buddenhagen]

dunno. try strace and ltrace, maybe something will stand out from the logs.

[James Nguyen]

Will do as time frees up.