3
votes

I am using openssl to build secure smtp connections to gmail.com:25. So I can successfully connect to the server and sends a command STARTTLS (I receive 220 2.0.0 Ready to start TLS). Then execute the following code without disconnecting:

SSL_METHOD* method = NULL;

SSL_library_init();
SSL_load_error_strings();

method = SSLv23_client_method();

ctx = SSL_CTX_new(method);
if (ctx == NULL)
{
    ERR_print_errors_fp(stderr);
}
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
ssl = SSL_new(ctx);
if (!SSL_set_fd(ssl, socket))
{
        ERR_print_errors_fp(stderr);
        return;
}
if (ssl)
{

    if (SSL_connect((SSL*)ssl) < 1)
    {
        ERR_print_errors_fp(stderr);
    }
    // then i think i need to send EHLO
}

But after calling SSL_connect I get an error:

24953:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:601:

If I use SSLv3_client_method I get an error:

18143:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:284.

And If TLSv1_client_method:

21293:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:284:

Why? What I do wrong?

3

3 Answers

4
votes

I ran in the same problem yesterday. Here is how I solved it:
- start by creating a normal TCP socket and connect it to smtp.gmail.com:587
- send a "ehlo [127.0.0.1]\r\n" command
- get the answers from the server (Notice: so far everything is in clear)
- send a "STARTTLS\r\n" command
- get the answer (i.e. "220 Ready for TLS")
- at this moment, create your ssl wrapper (method, ctx, etc...) and use "SSL_set_fd" and "SSL_connect" to activate it
- send a new "ehlo [127.0.0.1]\r\n" command but using the SSL socket

From now on, use "SSL_write" and "SSL_read" with the SSL socket to send your authentication information and email.

Please realize that this method only encrypts your data but doesn't authenticate yourself (or the server) with SSL certificates. But for me, it solved the problem of getting "unknown protocol".

Hope this helps...
Phil

0
votes

Try using SSLv3_client_method or TLSv1_client_method instead of SSLv23_client_method. I don't think Gmail supports SSLv23.

0
votes

Are you reading both the \r (carriage return) and \n (newline) characters that delimit the end of the server's 220 response, before starting TLS?