Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

TB 78.4 does not seem to be respecting tls.version.min

  • 3 replies
  • 1 has this problem
  • 8 views
  • Last reply by atErik

more options

I previously had to set tls.version.min to 1 when moving from 68 to 78 and that was fine. Now after upgrading from 78.3 to 78.4 the connection fails again despite the minimum tls version being set to 1.

Looking at the connection in wireshark, in the Client Hello, the supported versions are given as:

Extension: supported_versions (len=5)

   Type: supported_versions (43)
   Length: 5
   Supported Versions length: 4
   Supported Version: TLS 1.3 (0x0304)
   Supported Version: TLS 1.2 (0x0303)


which then causes the expected

Alert Message

   Level: Fatal (2)
   Description: Protocol Version (70)


The cipher suite chosen by the server hello is included in the client hello so they're not mismatching for what it's worth.

I previously had to set tls.version.min to 1 when moving from 68 to 78 and that was fine. Now after upgrading from 78.3 to 78.4 the connection fails again despite the minimum tls version being set to 1. Looking at the connection in wireshark, in the Client Hello, the supported versions are given as: Extension: supported_versions (len=5) Type: supported_versions (43) Length: 5 Supported Versions length: 4 Supported Version: TLS 1.3 (0x0304) Supported Version: TLS 1.2 (0x0303) which then causes the expected Alert Message Level: Fatal (2) Description: Protocol Version (70) The cipher suite chosen by the server hello is included in the client hello so they're not mismatching for what it's worth.

Modified by Conor

All Replies (3)

more options

What is the server address name? You'll need to post more of the wireshark.

more options

The mail server is mail.blacknight.com and the Wireshark overview is as follows, I'd add the actual pcapng if it was possible.

The TLS protocol version failure alert occurs at line 91: 43 6.272506420 10.0.0.15 81.17.254.9 TCP 74 4 39152 → 143 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=3248854081 TSecr=0 WS=128

44 6.273882829 10.0.0.15 81.17.254.9 TCP 74 4 34206 → 110 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=3248854083 TSecr=0 WS=128

45 6.283001017 81.17.254.9 10.0.0.15 TCP 74 4 143 → 39152 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1380 SACK_PERM=1 TSval=87655800 TSecr=3248854081 WS=128

46 6.283073335 10.0.0.15 81.17.254.9 TCP 66 4 39152 → 143 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=3248854092 TSecr=87655800

47 6.285566164 81.17.254.9 10.0.0.15 TCP 74 4 110 → 34206 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1380 SACK_PERM=1 TSval=87655803 TSecr=3248854083 WS=128

48 6.285712523 10.0.0.15 81.17.254.9 TCP 66 4 34206 → 110 [ACK] Seq=1 Ack=1 Win=64256 Len=0 TSval=3248854095 TSecr=87655803

49 6.293563873 81.17.254.9 10.0.0.15 IMAP 173 4 Response: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE STARTTLS AUTH=PLAIN] Dovecot ready.

50 6.293608719 10.0.0.15 81.17.254.9 TCP 66 4 39152 → 143 [ACK] Seq=1 Ack=108 Win=64256 Len=0 TSval=3248854103 TSecr=87655810

51 6.325515240 10.0.0.15 81.17.254.9 IMAP 78 4 Request: 1 STARTTLS

52 6.337599723 81.17.254.9 10.0.0.15 TCP 66 4 143 → 39152 [ACK] Seq=108 Ack=13 Win=5888 Len=0 TSval=87655854 TSecr=3248854134

53 6.337673958 81.17.254.9 10.0.0.15 IMAP 99 4 Response: 1 OK Begin TLS negotiation now.

54 6.337719281 10.0.0.15 81.17.254.9 TCP 66 4 39152 → 143 [ACK] Seq=13 Ack=141 Win=64256 Len=0 TSval=3248854147 TSecr=87655854

57 6.393028857 10.0.0.15 81.17.254.9 IMAP 583 4 Request: \026\003\001\002\000\001\000\001�\003\003\004����\003X-��2Ƽ�\aBAy�\005�3/7b�\033ed� ^YC�����'��P�H\004��(i������,�1L�\025�\000"\023\001\023\003\023\002�+�/�����,�0�

58 6.406364860 81.17.254.9 10.0.0.15 IMAP 1434 4 Response: \026\003\001\000Q\002\000\000M\003\001_�c2� \001\025��\033�\0228[�K�H\024Ĭ�#}q�v�R \ab���V��I�o�H��B�/�I[L\026��i��KC�d\000/\000\000\005�\001\000\001\000\026\003\001\026\017\v\000\026\v\000\026\b\000\006*0�\006&0�\005\016�\003\002\001\002\002\021\000����f獷����\017��c0

59 6.406485740 10.0.0.15 81.17.254.9 TCP 66 4 39152 → 143 [ACK] Seq=530 Ack=1509 Win=64128 Len=0 TSval=3248854215 TSecr=87655922

60 6.406526577 81.17.254.9 10.0.0.15 IMAP 1434 4 Response: q�\002!\000R����S��n\031�Z�����W5��3��a�>��ms0��\006\003U\035\021\004��0���\023mail.blacknight.com�\030imap5r.cp.blacknight.com�\036inbound-smtp.cp.blacknight.com�\030pop33r.cp.blacknight.com�\030smtp1r.cp.blacknight.com0

61 6.406564200 10.0.0.15 81.17.254.9 TCP 66 4 39152 → 143 [ACK] Seq=530 Ack=2877 Win=62976 Len=0 TSval=3248854215 TSecr=87655922

62 6.406755071 10.0.0.15 81.17.254.9 TCP 73 4 39152 → 143 [PSH, ACK] Seq=530 Ack=2877 Win=62976 Len=7 TSval=3248854216 TSecr=87655922 [TCP segment of a reassembled PDU]

63 6.406890144 10.0.0.15 81.17.254.9 TCP 66 4 39152 → 143 [RST, ACK] Seq=537 Ack=2877 Win=64128 Len=0 TSval=3248854216 TSecr=87655922

64 6.422084923 81.17.254.9 10.0.0.15 TCP 66 4 [TCP Dup ACK 58#1] 143 → 39152 [PSH, ACK] Seq=2877 Ack=530 Win=6912 Len=0 TSval=87655922 TSecr=3248854202

65 6.422130208 10.0.0.15 81.17.254.9 TCP 54 4 39152 → 143 [RST] Seq=530 Win=0 Len=0

66 6.422173720 81.17.254.9 10.0.0.15 IMAP 1434 4 Response: \001\001\f\005\000\003�\002\001\0002�a�\016H�OǺGM�x\031\001�\023\035�o��p�R�13�WR�1�k��T���@\027h�\021\020|����U���6���9Q�F�\017����~I�*6\027��h9z��NVo�{;�

67 6.422204194 10.0.0.15 81.17.254.9 TCP 54 4 39152 → 143 [RST] Seq=530 Win=0 Len=0

68 6.423597989 81.17.254.9 10.0.0.15 IMAP 1434 4 Response: ST0\031\023��}7��]:l5\�A�\022��I\v����\t�b��f�%�����?�9\017�\002��\022L�|�k\005�^\026���g��\023��[��L��[���s�#;-\000�5Ut\tI�IX\032\177�6�Q�\016�&}\034M\027���C&пA_@�DD��W��P\037WT�>�tc/�Pe\t�XB.C\032L��%GY�\004\036��&FJP����x��g\025��W�\036\017c��b��_U.�\�(\b\004%9�\016+��L�\034\a?

69 6.423625986 10.0.0.15 81.17.254.9 TCP 54 4 39152 → 143 [RST] Seq=530 Win=0 Len=0

70 6.423641402 81.17.254.9 10.0.0.15 IMAP 341 4 Response: \006\t*�H��

71 6.423656894 10.0.0.15 81.17.254.9 TCP 54 4 39152 → 143 [RST] Seq=530 Win=0 Len=0

72 6.423666746 81.17.254.9 10.0.0.15 TCP 66 4 143 → 39152 [FIN, ACK] Seq=5888 Ack=537 Win=6912 Len=0 TSval=87655939 TSecr=3248854216

73 6.423676739 10.0.0.15 81.17.254.9 TCP 54 4 39152 → 143 [RST] Seq=537 Win=0 Len=0

75 6.911991172 81.17.254.9 10.0.0.15 POP 86 4 S: +OK Dovecot ready.

76 6.912031999 10.0.0.15 81.17.254.9 TCP 66 4 34206 → 110 [ACK] Seq=1 Ack=21 Win=64256 Len=0 TSval=3248854721 TSecr=87656428

77 6.915765154 10.0.0.15 81.17.254.9 POP 72 4 C: AUTH

78 6.924593664 81.17.254.9 10.0.0.15 TCP 66 4 110 → 34206 [ACK] Seq=21 Ack=7 Win=5888 Len=0 TSval=87656441 TSecr=3248854725

79 6.924624933 81.17.254.9 10.0.0.15 POP 74 4 S: +OK

80 6.924636423 10.0.0.15 81.17.254.9 TCP 66 4 34206 → 110 [ACK] Seq=7 Ack=29 Win=64256 Len=0 TSval=3248854734 TSecr=87656441

81 6.926082760 81.17.254.9 10.0.0.15 TCP 66 4 [TCP Dup ACK 78#1] 110 → 34206 [PSH, ACK] Seq=29 Ack=7 Win=5888 Len=0 TSval=87656441 TSecr=3248854725

82 6.927269329 10.0.0.15 81.17.254.9 POP 72 4 C: CAPA

83 6.938375224 81.17.254.9 10.0.0.15 POP 139 4 S: +OK

84 6.938451630 10.0.0.15 81.17.254.9 TCP 66 4 34206 → 110 [ACK] Seq=13 Ack=102 Win=64256 Len=0 TSval=3248854747 TSecr=87656455

85 6.939828509 10.0.0.15 81.17.254.9 POP 72 4 C: STLS

86 6.950399031 81.17.254.9 10.0.0.15 POP 98 4 S: +OK Begin TLS negotiation now.

87 6.956790198 10.0.0.15 81.17.254.9 TLSv1 583 4 Client Hello

88 6.977024740 81.17.254.9 10.0.0.15 TLSv1 1434 4 Server Hello

89 6.977067276 81.17.254.9 10.0.0.15 TCP 1434 4 110 → 34206 [ACK] Seq=1502 Ack=536 Win=6912 Len=1368 TSval=87656487 TSecr=3248854766 [TCP segment of a reassembled PDU]

90 6.977100230 10.0.0.15 81.17.254.9 TCP 66 4 34206 → 110 [ACK] Seq=536 Ack=2870 Win=62976 Len=0 TSval=3248854786 TSecr=87656487

91 6.977142320 10.0.0.15 81.17.254.9 TLSv1 73 4 Alert (Level: Fatal, Description: Protocol Version)

92 6.977195872 10.0.0.15 81.17.254.9 TCP 66 4 34206 → 110 [RST, ACK] Seq=543 Ack=2870 Win=64128 Len=0 TSval=3248854786 TSecr=87656487

93 6.987253338 81.17.254.9 10.0.0.15 TCP 1434 4 110 → 34206 [ACK] Seq=2870 Ack=536 Win=6912 Len=1368 TSval=87656503 TSecr=3248854786 [TCP segment of a reassembled PDU]

94 6.987291720 10.0.0.15 81.17.254.9 TCP 54 4 34206 → 110 [RST] Seq=536 Win=0 Len=0

95 6.987305589 81.17.254.9 10.0.0.15 TCP 1434 4 110 → 34206 [ACK] Seq=4238 Ack=536 Win=6912 Len=1368 TSval=87656503 TSecr=3248854786 [TCP segment of a reassembled PDU]

96 6.987311841 10.0.0.15 81.17.254.9 TCP 54 4 34206 → 110 [RST] Seq=536 Win=0 Len=0

97 6.987316583 81.17.254.9 10.0.0.15 TLSv1 341 4 Certificate, Server Hello Done

98 6.987321434 10.0.0.15 81.17.254.9 TCP 54 4 34206 → 110 [RST] Seq=536 Win=0 Len=0

99 6.987325138 81.17.254.9 10.0.0.15 TCP 66 4 [TCP Dup ACK 88#1] 110 → 34206 [PSH, ACK] Seq=5881 Ack=536 Win=6912 Len=0 TSval=87656503 TSecr=3248854786

100 6.987329744 10.0.0.15 81.17.254.9 TCP 54 4 34206 → 110 [RST] Seq=536 Win=0 Len=0

101 6.989710109 81.17.254.9 10.0.0.15 TCP 66 4 110 → 34206 [FIN, ACK] Seq=5881 Ack=543 Win=6912 Len=0 TSval=87656506 TSecr=3248854786

102 6.989742987 10.0.0.15 81.17.254.9 TCP 54 4 34206 → 110 [RST] Seq=543 Win=0 Len=0

Modified by NoahSUMO

more options

you may try also with increasing the timeout settings (in about:config). their are also few other related settings to assists TB with older/unsafe protocols.

and if you want to, you may use a second-TB, a v68 series TB, for that email account. more info.

as usual, "mail protection" should be disabled unless it has an "EXCEPTION" sub-option, then add IMAP/POP3 & SMTP, etc into exception list . make sure your AV/SS has "Scan files on access" enabled. use smk code as password for mail-account in TB, if your MSP supports that. or use OAuth2 (enable cookie) for mail-account in TB. more info.

Modified by atErik