TLS negotiation

Hi.

I amtrying to send a mail through gmail using telnet to smtp.gmail.com.

I follow RFC-3207 that show how to do the STARTTLS.

The problem is that I dont know how to do the "TLS negotiation" and I
did'nt find any usefull guide for this.

Can anyone help ?

ThankX,
NAHUM.

PS Here is the quote from RFC-3207

5. Usage Example

The following dialog illustrates how a client and server can start a
TLS session:

S:
C:
S: 220 mail.imc.org SMTP service ready
C: EHLO mail.example.com
S: 250-mail.imc.org offers a warm hug of welcome
S: 250-8BITMIME
S: 250-STARTTLS
S: 250 DSN
C: STARTTLS
S: 220 Go ahead
C:
C & S:
C & S:
C: EHLO mail.example.com
S: 250-mail.imc.org touches your hand gently for a moment
S: 250-8BITMIME
S: 250 DSN

Re: TLS negotiation

On Fri, 20 Oct 2006, nahum_barnea@yahoo.com wrote:
> I amtrying to send a mail through gmail using telnet to smtp.gmail.com.
> I follow RFC-3207 that show how to do the STARTTLS.
> The problem is that I dont know how to do the "TLS negotiation" and I
> did'nt find any usefull guide for this.

It is impossible to negotiate TLS using the TELNET client program.

TLS can only be negotiated with client programs that are written to
negotiate TLS.

If your intention is to write a mail reading program with mail sending
capabilities (commonly called an MUA or Mail User Agent), there are many
existing, excellent, open-source protocol client engines that support SMTP
(and other protocols such as IMAP, POP3, and NNTP) with full TLS
capabilities.

I suggest that you use one of these engines instead of writing your own.

-- Mark --

http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.

Re: TLS negotiation

On Fri, 20 Oct 2006, nahum_barnea@yahoo.com wrote:
> I amtrying to send a mail through gmail using telnet to smtp.gmail.com.
> I follow RFC-3207 that show how to do the STARTTLS.
> The problem is that I dont know how to do the "TLS negotiation" and I
> did'nt find any usefull guide for this.

It is impossible to negotiate TLS using the TELNET client program.

TLS can only be negotiated with client programs that are written to
negotiate TLS.

If your intention is to write a mail reading program with mail sending
capabilities (commonly called an MUA or Mail User Agent), there are many
existing, excellent, open-source protocol client engines that support SMTP
(and other protocols such as IMAP, POP3, and NNTP) with full TLS
capabilities.

I suggest that you use one of these engines instead of writing your own.

-- Mark --

http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.

Re: TLS negotiation

Mark Crispin wrote:

>It is impossible to negotiate TLS using the TELNET client program.

I agree it might be a strange thing for the original poster to want to
do, but is it actually impossible or just very difficult? Can you
explain why you say it is impossible?

Re: TLS negotiation

On Fri, 20 Oct 2006, Landmark wrote:
> Mark Crispin wrote:
>> It is impossible to negotiate TLS using the TELNET client program.
> I agree it might be a strange thing for the original poster to want to
> do, but is it actually impossible or just very difficult? Can you
> explain why you say it is impossible?

There are several problems which would need to be addressed in order to
negotiate TLS using the TELNET client program.

"Negotiate TLS" means to do the initial TLS handshake and then
subsequently all client/server interactions are encrypted. That is, the
session switches from non-encrypted to encrypted. [This is a gross
over-simplification and as such is not strictly accurate from a technical
point of view, but it's good enough as a first-order explanation.]

So, you have to be able to start unencrypted bidirectional, and then
switch to bidirectional encryption.

If you do not have the aid of an encryption software package, you have to
do the necessary mathematical computations yourself. Given the amount of
CPU time that it takes a computer, I suspect that even a very skilled
human lacks the necessary computational power.

TLS is binary. You need to be able to get all 256 possible binary octets
into the TELNET program. You also need to recognize all 256 possible
binary octets. This is possible with some TELNETs, but...

....TELNET protocol has an escape at 0xff to do TELNET protocol
negotiations. SMTP and TLS do not use this mechanism, so you have to stop
the TELNET program from doing the TELNET thing with 0xff.

There's more, but you get the picture.

By the time that you solve all of this, you have writen a new program
rather than any of the existing TELNET client programs. The reason is
that the solutions to the above problems are quite a bit more work than a
mere bidirectional client/server pipe, which is all that the TELNET client
is being used for.

-- Mark --

http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.

Re: TLS negotiation

Thanks Mark, that was a very clear explanation.

Re: TLS negotiation

ThankX for the response.

Well, I thought of writing a perl script to send gmail from command
line.
Thats because all MUA that has command line interface that I tried
(mutt, ssmtp and others) failed on the STARTTLS.
Thus I now try to dig into the RFC of STARTTLS and TLS.

I understand from your mail that it is not possible through telnet.
Do you think it is possible to acheive by a perl module and how?

NAHUM


On Oct 20, 5:04 pm, Mark Crispin wrote:
> On Fri, 20 Oct 2006, nahum_bar...@yahoo.com wrote:
> > I amtrying to send a mail through gmail using telnet to smtp.gmail.com.
> > I follow RFC-3207 that show how to do the STARTTLS.
> > The problem is that I dont know how to do the "TLS negotiation" and I
> > did'nt find any usefull guide for this.It is impossible to negotiate TLS using the TELNET client program.
>
> TLS can only be negotiated with client programs that are written to
> negotiate TLS.
>
> If your intention is to write a mail reading program with mail sending
> capabilities (commonly called an MUA or Mail User Agent), there are many
> existing, excellent, open-source protocol client engines that support SMTP
> (and other protocols such as IMAP, POP3, and NNTP) with full TLS
> capabilities.
>
> I suggest that you use one of these engines instead of writing your own.
>
> -- Mark --
>
> http://panda.com/mrc
> Democracy is two wolves and a sheep deciding what to eat for lunch.
> Liberty is a well-armed sheep contesting the vote.

Re: TLS negotiation

nahum_barnea@yahoo.com wrote:
> ThankX for the response.
>
> Well, I thought of writing a perl script to send gmail from command
> line.
> Thats because all MUA that has command line interface that I tried
> (mutt, ssmtp and others) failed on the STARTTLS.
> Thus I now try to dig into the RFC of STARTTLS and TLS.

sendmail has TLS support and thats what most popular unix MUA's are
capable of calling to perform their delivery.

Re: TLS negotiation

On 20 Oct 2006 07:30:05 -0700,
nahum_barnea@yahoo.com wrote:
>
> Hi.
>
> I amtrying to send a mail through gmail using telnet to smtp.gmail.com.
>
> I follow RFC-3207 that show how to do the STARTTLS.
>
> The problem is that I dont know how to do the "TLS negotiation" and I
> did'nt find any usefull guide for this.
>
> Can anyone help ?
>
> ThankX,
> NAHUM.
>

use openssl instead of telnet:

openssl s_client -connect :25 -starttls smtp

and all the initial handshaking will be handled for you.

Tim.

--
God said, "div D = rho, div B = 0, curl E = - @B/@t, curl H = J + @D/@t,"
and there was light.

http://tjw.hn.org/ http://www.locofungus.btinternet.co.uk/

Re: TLS negotiation

Thanks.

I tried:

openssl s_client -connect smtp.gmail.com:25 -starttls smtp

But I get:
CONNECTED(00000003)
3592:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:567:

Does it works for you ?


Tim Woodall wrote:
> On 20 Oct 2006 07:30:05 -0700,
> nahum_barnea@yahoo.com wrote:
> >
> > Hi.
> >
> > I amtrying to send a mail through gmail using telnet to smtp.gmail.com.
> >
> > I follow RFC-3207 that show how to do the STARTTLS.
> >
> > The problem is that I dont know how to do the "TLS negotiation" and I
> > did'nt find any usefull guide for this.
> >
> > Can anyone help ?
> >
> > ThankX,
> > NAHUM.
> >
>
> use openssl instead of telnet:
>
> openssl s_client -connect :25 -starttls smtp
>
> and all the initial handshaking will be handled for you.
>
> Tim.
>
> --
> God said, "div D = rho, div B = 0, curl E = - @B/@t, curl H = J + @D/@t,"
> and there was light.
>
> http://tjw.hn.org/ http://www.locofungus.btinternet.co.uk/

Re: TLS negotiation

Please don't top post
On 22 Oct 2006 10:08:03 -0700,
nahum_barnea@yahoo.com wrote:
> Tim Woodall wrote:
>> On 20 Oct 2006 07:30:05 -0700,
>> nahum_barnea@yahoo.com wrote:
>> >
>> > Hi.
>> >
>> > I amtrying to send a mail through gmail using telnet to smtp.gmail.com.
>> >
>> > I follow RFC-3207 that show how to do the STARTTLS.
>> >
>> > The problem is that I dont know how to do the "TLS negotiation" and I
>> > did'nt find any usefull guide for this.
>> >
>> > Can anyone help ?
>> >
>> > ThankX,
>> > NAHUM.
>> >
>>
>> use openssl instead of telnet:
>>
>> openssl s_client -connect :25 -starttls smtp
>>
>> and all the initial handshaking will be handled for you.
>>
>> Tim.
>>
>
> Thanks.
>
> I tried:
>
> openssl s_client -connect smtp.gmail.com:25 -starttls smtp
>
> But I get:
> CONNECTED(00000003)
> 3592:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol:s23_clnt.c:567:
>
> Does it works for you ?
>

Unfortunately, openssl won't work with this mailserver. It requires the
HELO before the tls negotiation. openssl violates the RFCs and sends the
STARTTLS without a HELO first

tim@feynman:~$ telnet smtp.gmail.com 25
Trying 64.233.183.109...
Connected to smtp.gmail.com.
Escape character is '^]'.
220 mx.google.com ESMTP k9sm2369588nfc
STARTTLS
503 5.5.1 EHLO/HELO first k9sm2369588nfc

It works fine with sendmail:

tim@feynman:~$ openssl s_client -connect einstein:25 -starttls smtp
CONNECTED(00000003)
depth=1 /C=GB/ST=Hertfordshire/L=Watford/O=Certificate Authority/CN=Tim
Woodall CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain

Verify return code: 19 (self signed certificate in certificate
chain)
---
220 einstein.home.woodall.me.uk ESMTP Sendmail
8.13.4/8.13.4/Debian-3sarge1; Sun, 22 Oct 2006 22:48:28 +0100; (No
UCE/UBE) logging access from:
feynman.home.woodall.me.uk(OK)-feynman.home.woodall.me.uk
[192.168.100.63]

Have a look at:
http://www.mail-archive.com/openssl-dev%40openssl.org/msg201 05.html
or
http://www.mail-archive.com/openssl-dev%40openssl.org/msg208 23.html
for a patch that sends a HELO before starting TLS.

see also:
http://www.exim.org/mail-archives/exim-users/Week-of-Mon-200 60206/msg00065.html
where it is claimed that 0.9.7f (on FC4) sends "EHLO some.host.name"
before STARTTLS. I'm on 0.9.7e-3sarge4 so I can't confirm this.

Tim.

--
God said, "div D = rho, div B = 0, curl E = - @B/@t, curl H = J + @D/@t,"
and there was light.

http://tjw.hn.org/ http://www.locofungus.btinternet.co.uk/