On Mon, Nov 19, 2012 at 04:03:15PM -0500, Wietse Venema wrote:
> > I applied the suggested changes and decided to test the server.
> >
> > "openssl s_client -tls1 -connect mail.example.com:25" returned
> > "SSL3_GET_RECORD:wrong version number". What is the problem?
>
> Stuff the error message into a search engine.
>
> The result: one ends of the connection wants to talk SSLv3 and the
> other end supports only TLSv1.
In this case the problem is deeper, one end is not even talking
SSL/TLS, the "wrong version number" is a bit of a red-herring, an
SMTP banner is misreported as an SSL record layer header with an
unexpected protocol version.
Avoiding this problem would have required a more bloated TLS record
layer, so better reporting is not easy.
--
Viktor.
