QSslSocket handshake fails for TlsV1_2

stryga42

Dear all,
I try to send e-mails via smtp using TLS v1.2 (because the mail server requires that). I stumbeled over a nice example and tried to modify it to TLS 1.2:

...
socket = new QSslSocket(this);
socket->setProtocol(QSsl::TlsV1_2);
connect(socket, SIGNAL(encrypted()), this, SLOT(socketEncrypted()));
connect(socket, SIGNAL(sslErrors(const QList<QSslError> &)), this, SLOT(sslErrorsSl(const QList<QSslError> &)));
connect(socket, SIGNAL(readyRead()), this, SLOT(readyRead()));
connect(socket, SIGNAL(connected()), this, SLOT(connected() ) );
connect(socket, SIGNAL(error(QAbstractSocket::SocketError)), this,SLOT(errorReceived(QAbstractSocket::SocketError)));   
connect(socket, SIGNAL(stateChanged(QAbstractSocket::SocketState)), this, SLOT(stateChanged(QAbstractSocket::SocketState)));
connect(socket, SIGNAL(disconnected()), this,SLOT(disconnected()));
...

Connection itself works, but the handshake fails with Error during SSL handshake: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
It makes no difference if I use connectToHostEncrypted or if I connect unencrypted first and then use startClientEncryption - handshake fails with the same error.
I guess this error message comes not from Qt-code but from some underlying implementation but I am confused that it complains about SSLv3 although I specified TLSv1.2. Can anyone give me hint what's going wrong here?

Edit: I verified with openssl s_client that the transaction succeeds in general, so all I want to do is replicate this inside Qt. Here is the openssl log:

Pi_at_home/smtp$ openssl s_client -host smtp.world4you.com -port 587 -no_ssl3 -no_tls1 -no_tls1_1 -starttls smtp -crlf
CONNECTED(00000003)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.world4you.com
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=*.world4you.com
   i:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
 1 s:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHUjCCBjqgAwIBAgIMKUlNZaWQ/0J265CBMA0GCSqGSIb3DQEBCwUAMEwxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSIwIAYDVQQDExlB
bHBoYVNTTCBDQSAtIFNIQTI1NiAtIEcyMB4XDTE3MDQxMDA4MzExN1oXDTIwMDQx
MDA4MzExN1owPTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRgw
FgYDVQQDDA8qLndvcmxkNHlvdS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDbeR8nSLbJEwO2lDns55LHY6uZ7jJ+3g8l01xQpuHFpLkNyew85ZSN
Ha36EcSTYN86tmqsbWLb07dcsT4jO1T9nJJcsJVY6tj/FjiWDiAmYsJAhDpVJNbG
Rj6143oPtv+7JsPrDt06/4GR/OytcYIAPZeDLL+UOco1yrJVapdLue3eMVtLNyvD
MUll/Py6tY5xD3LX7GYu8QXgwXpIPEoS+nLnrvWGTrrHQxZlgbv0DIV5Px0RBy7Z
GayWky6L3zK4XPUBqEosbvHcCfJJbFMC/hasaxNLc8v5ANYtbCdVo3tlxXYSSTHl
VDuJgTpFCdLMKEPzfWHEGUMK/1xwFgVdAgMBAAGjggRBMIIEPTAOBgNVHQ8BAf8E
BAMCBaAwgYkGCCsGAQUFBwEBBH0wezBCBggrBgEFBQcwAoY2aHR0cDovL3NlY3Vy
ZTIuYWxwaGFzc2wuY29tL2NhY2VydC9nc2FscGhhc2hhMmcycjEuY3J0MDUGCCsG
AQUFBzABhilodHRwOi8vb2NzcDIuZ2xvYmFsc2lnbi5jb20vZ3NhbHBoYXNoYTJn
MjBXBgNVHSAEUDBOMEIGCisGAQQBoDIBCgowNDAyBggrBgEFBQcCARYmaHR0cHM6
Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wCAYGZ4EMAQIBMAkGA1Ud
EwQCMAAwPgYDVR0fBDcwNTAzoDGgL4YtaHR0cDovL2NybDIuYWxwaGFzc2wuY29t
L2dzL2dzYWxwaGFzaGEyZzIuY3JsMCkGA1UdEQQiMCCCDyoud29ybGQ0eW91LmNv
bYINd29ybGQ0eW91LmNvbTAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
HQYDVR0OBBYEFKIZxH9TsIMa5qQGZAPhKngbApbsMB8GA1UdIwQYMBaAFPXN1TwI
UPlqTzq3l9pWg+Zp0mj3MIICbwYKKwYBBAHWeQIEAgSCAl8EggJbAlkAdwDd6x0r
eg1PpiCLga2BaHB+Lo6dAdVciI09EcTNtuy+zAAAAVtW/RapAAAEAwBIMEYCIQDU
3N3XzYnVREcEvW6lNyK6AlGSbiDCM+zvAKMR17JYfAIhAN9PzYas1XU6oW+slh7t
8PduMqiZjJAD9ENlkasRw0b9AHYAVhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SY
VdaJ0N0AAAFbVv0W/QAABAMARzBFAiEAgac9ahHXUOYPJCfqPGSRspsHOz8Nh1fg
PILA/TOIWhoCIHS1NZmsg3swvqhq/hewAEZP0xfEOguTS/160d8qhG+rAHUApLkJ
kLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFbVv0ZtwAABAMARjBEAiAx
2bJ48akD9TKDtT1igobkzkyxsFmJT9HDkOciGnVx8AIgNsCADYnu/q8E2FFrcNIF
37KuYFXuv72bd864c9vVJjsAdgC72d+8H4pxtZOUI5eqkntHOFeVCqtS6BqQlmQ2
jh7RhQAAAVtW/RpJAAAEAwBHMEUCIBP3/9GvXudvbzupkv0QB8jksf8s1RAnzBPs
zcjcWI80AiEAnZ4PSMG7ElD7ZWW+G/SwQLky0naFIHm1gEQ4xzLkkhUAdwDuS723
dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAVtW/RyDAAAEAwBIMEYCIQCW
N35yevfZeW3HmWo9AJqqY9ctNU4M1LeXDuTNHgdUhgIhAPnPugotcvA6af8DU5be
sduG9XUuMXQorvz5FRE2iJ9tMA0GCSqGSIb3DQEBCwUAA4IBAQAzo+bJIPt7p3oO
YmSJ+3sPlwyftJ5U2F3tKPSOsnO99s5uj6XH19wKWCLsVHLm8LeCw272l185rQge
HWn9SY1oasDaiUIpKDQnw/Nm7i9KiRCKKYUGPcQisClwgycYq12b7robuUl67JtC
h/ArUdtkhUkapoXtwDmoAcFWlVJiauBSSfpR+C6B3YaBASMoKd0T1Y81GEgmq5lc
F7gyeDAprTO2Ob3X9jzU40ap+95SHhlP4/V1EEDMnWycEp064Sv0U2ojzPgFsl3I
QbyTssP22CYiSoImsQJ8/Z7MN3YaSt8w88D4ODogLDyXRHua73JYMRw+DuN4yzhH
QVhF83oJ
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=*.world4you.com
issuer=/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: DH, 2048 bits
---
SSL handshake has read 4600 bytes and written 658 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID: 8E6BC6DA7E940F4C12B688289D7E349986DA91DB964517F2C86D63100E5D224A
    Session-ID-ctx: 
    Master-Key: A22734F78D24F8F49BC3CB8702A9CA3C3CE3D5D6A0BB91A6D5FA65FBD25B96B29B396FDF32B1E6D0492B589949524298
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 200 (seconds)
    TLS session ticket:
    0000 - 49 38 59 8e 2f fe 97 e8-d7 1b 5f 23 a4 41 1c 2e   I8Y./....._#.A..
    0010 - 28 91 69 0b 9b d4 ba 08-75 33 9b b9 5b 07 61 a6   (.i.....u3..[.a.
    0020 - 22 d0 f1 f9 d6 ea d4 d2-ca 68 33 e2 b5 78 09 1a   "........h3..x..
    0030 - 95 8a 0d 65 6e 58 2f 16-8c 18 4b 95 fc 97 08 e2   ...enX/...K.....
    0040 - 73 21 f2 38 d7 a3 fe 31-ec f3 af 60 8a c5 fc ee   s!.8...1...`....
    0050 - 79 0c 45 1f ce fd 04 d7-13 86 d3 66 db b7 64 16   y.E........f..d.
    0060 - f9 d9 cf 81 9f 96 a1 e3-24 e0 be 7b 23 33 22 01   ........$..{#3".
    0070 - f4 64 0f b4 67 8d 6b 0a-c7 65 26 27 ca 8f 03 a9   .d..g.k..e&'....
    0080 - 0a 93 fb 1d 09 30 e6 d9-f1 5a 33 58 e5 be 0b 8a   .....0...Z3X....
    0090 - ad 79 d6 46 36 ee b2 cd-65 8a 51 f2 7b da 21 58   .y.F6...e.Q.{.!X

    Start Time: 1499604732
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 HELP
EHLO mydomain.at
250-mx11lb.world4you.com Hello mydomain.at [91.114.187.196]
250-SIZE 157286400
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250 HELP
auth plain <base64 encoded credentials were here>
235 Authentication succeeded
mail from: user@mydomain.at
250 OK
rcpt to: someoneelse@gmx.at     
250 Accepted
data
354 Enter message, ending with "." on a line by itself
the lazy fox jumps over the dog
.
250 OK id=1dUBjP-0004tI-Rj
quit
221 mx11lb.world4you.com closing connection
closed

How should I set up QSslSocket to do exactely the same thing as s_client?

SGaist

Hi,

Which version of OpenSSL are you using ?

stryga42

This post is deleted!

stryga42

@SGaist

$ openssl version
OpenSSL 1.0.2g  1 Mar 2016

This seems to be the latest version released with Ubuntu 16.04 since an

apt-get install openssl

didn't change anything. Do you know if parts of SSL are statically linked into the Qt libraries (and may have thus an older version)?

SGaist

No nothing like that. By default, Qt provides a build that dlopens OpenSSL because of international restrictions regarding cryptographic modules.

stryga42

@SGaist Thanks for your efforts. My wild guess is that client and server fail to agree on a cipher which is fine for both. I'll try to clarify without Qt first. Maybe openssl s_client can help.
Just out of curiosity: why does enum QSsl::SslProtocol not list numeric values for all of its members? Most members have a question mark in the value column. Never saw this before in Qt.

SGaist

After a quick look at Qt's sources, the numbering after QSsl::TlsV1_0 depends on a define so it might be related.