Hello,

We are using cURL to handle SMTP sessions in our mail client. We are using SSPI version of encryption (Schannel). Some of our users are rarely experiencing problems during handshake. It happens every few days once or twice a day (so it looks very random) but it occured only for 3 smtp servers so far (out of 200 smtp servers that are currently being used by our users). Below is log from such session with schannel information. As you can see at some point InitializeSecurityContext fails with error SEC_E_MESSAGE_ALTERED. It looks like offset in last packet is not proper in step 2/3 comparing it with correct handshake:

Correct handshake:
schannel: encrypted data buffer: offset 242 length 4218.
schannel: SSL/TLS handshake complete.

Incorrect handshake:
schannel: encrypted data buffer: offset 7 length 4218.
schannel: next InitializeSecurityContext failed: SEC_E_MESSAGE_ALTERED

What could be the reason of this problem? Is it rather server side or client side kind of problem? Is there anything we can do to fix it on client side?

Log (without sensitive data):
     Rebuilt URL to: smtp://<<SMTP Server>>:587
     Trying <<IP>>....
     Connected to <<SMTP Server>> (<<IP>>) port 587 (#0).
<-- 220 <<SMTP Server>> ESMTP HOSTMSA; Tue, 6 Dec 2016 10:52:44 +0100
--> EHLO <<SMTP Client>>
<-- 250-<<SMTP Server>> Hello <<SMTP Client>>, pleased to meet you
<-- 250-ENHANCEDSTATUSCODES
<-- 250-PIPELINING
<-- 250-8BITMIME
<-- 250-SIZE 500000000
<-- 250-AUTH LOGIN PLAIN
<-- 250-STARTTLS
<-- 250-DELIVERBY
<-- 250 HELP
--> STARTTLS
<-- 220 2.0.0 Ready to start TLS
     schannel: SSL/TLS connection with <<SMTP Server>> port 587 (step 1/3).
     schannel: disabled server certificate revocation checks.
     schannel: verifyhost setting prevents Schannel from comparing the supplied target name with the subject names in server certificates. Also disables SNI..
     schannel: sending initial handshake data: sending 182 bytes....
     schannel: sent initial handshake data: sent 182 bytes.
     schannel: SSL/TLS connection with <<SMTP Server>> port 587 (step 2/3).
     schannel: failed to receive handshake, need more data.
     schannel: SSL/TLS connection with <<SMTP Server>> port 587 (step 2/3).
     schannel: encrypted data buffer: offset 1432 length 4096.
     schannel: encrypted data length: 1374.
     schannel: encrypted data buffer: offset 1374 length 4096.
     schannel: received incomplete message, need more data.
     schannel: SSL/TLS connection with <<SMTP Server>> port 587 (step 2/3).
     schannel: encrypted data buffer: offset 3194 length 4096.
     schannel: a client certificate has been requested.
     schannel: SSL/TLS connection with <<SMTP Server>> port 587 (step 2/3).
     schannel: encrypted data buffer: offset 3194 length 4218.
     schannel: sending next handshake data: sending 325 bytes....
     schannel: SSL/TLS connection with <<SMTP Server>> port 587 (step 2/3).
     schannel: encrypted data buffer: offset 7 length 4218.
     schannel: next InitializeSecurityContext failed: SEC_E_MESSAGE_ALTERED (0x8009030F) - The message or signature supplied for verification has been altered.
     Closing connection 0.
     schannel: shutting down SSL/TLS connection with <<SMTP Server>> port 587.
     schannel: clear security context handle.
     schannel: clear credential handle.

Regards,
Mariusz Gogulski

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-12-16