Jump to content
Aztec

[ EIdTLSClientTLSHandShakeFailed ] SSL negotiation failed

By Aztec, in Indy

Recommended Posts

Aztec    0

Aztec
Posted

Hi All

I am trying to send email using indy on our server. We currently run ubuntu 22.04, delphi is 11.3 with the indy that comes with it.

However when we try and send email we get the following error
[ EIdTLSClientTLSHandShakeFailed ] SSL negotiation failed

The code looks like this:
 SMTPServer := TIdSMTP.Create;
    SSL                        := TIdSSLIOHandlerSocketOpenSSL.create(nil);
    
    SSL.SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2];
    SSL.SSLOptions.Mode        := sslmClient;
    SSL.SSLOptions.VerifyMode  := [];
    SSL.SSLOptions.VerifyDepth := 0;

     SMTPServer.Host     := OutgoingServer;
      SMTPServer.Port     := SMTPPort; 
      SMTPServer.Username := Username;
      SMTPServer.Password := Password;
      SMTPServer.IOHandler := SSL;
      SMTPServer.UseEhlo   := True;
      SMTPServer.UseTLS    := utUseExplicitTLS;

the parameters I am assigning are correct 

not quite sure where to go from here, so any help would be appreciated

Thanks!

 

Share this post

Link to post

DelphiUdIT    132

DelphiUdIT
Posted (edited)

May be you can try with:

  

//I think these two lines resolve you problems
SSL.SSLOptions.Mode := sslmUnassigned;
SMTPServer.UseTLS := utUseImplicitTLS; //look also for SSL.Port setting like 465
//
SMTPServer.AuthType := satDefault;
SMTPServer.ValidateAuthLoginCapability := True;
SMTPServer.Connect;
SMTPServer.Authenticate;
if SMTPServer.DidAuthenticate then
  begin
	//Make message
    SmtpServer.Send(message);
  end;

If you search in the Forum there are others discussion about that.

 

Bye

Edited by DelphiUdIT

Share this post

Link to post

Remy Lebeau    1263

Remy Lebeau
Posted (edited)
10 hours ago, Aztec said:

However when we try and send email we get the following error
[ EIdTLSClientTLSHandShakeFailed ] SSL negotiation failed

EIdTLSClientTLSHandShakeFailed is an outer exception raised when an earlier exception is caught during the TLS handshake.  What does its InnerException say was the initial error?

10 hours ago, Aztec said:

the parameters I am assigning are correct

What are the actual values you are using?  In particular, which Port are you TRYING to connect to, and which Port is it ACTUALLY connecting to?  I notice that you are assigning the Port first, then assigning the IOHandler and UseTLS after.  Depending on the particular Port value, the UseTLS setter MIGHT be changing the Port to a different value.  Try setting the Port after setting UseTLS, to make sure you are actually using the Port you are expecting.

 

Aside from that, does the server in question still support TLS 1.1/1.2?  Some servers have made the jump to requiring TLS 1.3 nowadays.

Edited by Remy Lebeau

Share this post

Link to post

Aztec    0

Aztec
Posted

Hi 

The actual inner error is General Exception: Could not load SSL library. I did a search in here and it seems that everyone is talking about Windows, but could not find anything related to Linux.

I am using virtualmin on ubuntu 22.04. In Virtualmin. The mail server is Postfix.

The smtp port is 465, and is being set correctly.

Looking in the configs, it does seem that the various SSL versions can be allowed or rejected (See screen shot). I have allowed them all for now, but that makes no difference. Also attaching the config of the Postfix - maybe something in there will show something?

 

thanks for your help!!

 

 

 

Screenshot 2023-09-29 at 11.13.38 am.png

Screenshot 2023-09-29 at 11.16.41 am.png

Screenshot 2023-09-29 at 11.16.51 am.png

Screenshot 2023-09-29 at 11.17.03 am.png

Share this post

Link to post

Remy Lebeau    1263

Remy Lebeau
Posted (edited)
34 minutes ago, Aztec said:

he actual inner error is General Exception: Could not load SSL library.

Hmm, that should say EIdOSSLCouldNotLoadSSLLibrary instead of General Exception. But at least the root cause is now known.

Quote

I did a search in here and it seems that everyone is talking about Windows, but could not find anything related to Linux.

Indy dynamically loads OpenSSL at runtime on most platforms, including Linux. You are seeing the error when Indy is not able to load OpenSSL at runtime. 

Quote

Looking in the configs, it does seem that the various SSL versions can be allowed or rejected (See screen shot). I have allowed them all for now, but that makes no difference.

In one of those screens, I see libssl.so.3 and libcrypto.so.3 shown. Those are the OpenSSL libs, but are they for OpenSSL v3.0? If so, that version is not compatible with TIdSSLIOHandlerSocketOpenSSL.

 

By default, Indy loads unversioned .so files before loading versioned files. If those unversioned files are symlinks that map to newer versions, you could get the load error.

 

On 'Nix platforms, Indy has IdOpenSSLSetCanLoadSymLinks() and IdOpenSSLSetLoadSymLinksFirst() functions in the IdSSLOpenSSLHeaders unit. You can set them to False at runtime before using Indy, that way it load the versioned .so files first/only, and then you can deploy OpenSSL v1.0.2 .so files with your app that are currently compatible with Indy.

 

If that is not an option, then you can try this WIP SSLIOHandler for newer OpenSSL versions (not sure if it supports v3.0 or Linux, though) instead of TIdSSLIOHandlerSocketOpenSSL.

 

In any case, one way to handle this error condition a little better in TIdSSLIOHandlerSocketOpenSSL is to call Indy's LoadOpenSSLLibrary() function from the IdSSLOpenSSL unit during your app's startup. If it fails, you can use Indy's WhichFailedToLoad() function from the IdSSLOpenSSLHeaders unit to help diagnose why it failed.

Edited by Remy Lebeau

Share this post

Link to post

Aztec    0

Aztec
Posted

Ok cool. I will try that.

 

Where can I find those .so files though? Does this require an installation on linux or can I simply place them in the same location as my module?
Will indy support the latest SSLlib in Delphi 12?

 

cheers

Share this post

Link to post

Remy Lebeau    1263

Remy Lebeau
Posted (edited)
24 minutes ago, Aztec said:

Where can I find those .so files though?

There are some at https://github.com/IndySockets/OpenSSL-Binaries, though those might be for Android not Linux (though Android runs on top of Linux). Otherwise you'll have to look around.

Quote

Does this require an installation on linux or can I simply place them in the same location as my module?

You can simply put them in your app's folder, or anywhere else you want. If needed, Indy has an IdOpenSSLSetLibPath() function in the IdSSLOpenSSLHeaders unit.

Quote

Will indy support the latest SSLlib in Delphi 12?

I don't know at this time.

 

I have discussed this matter with Marco Cantu and others, so they are certainly interested in a resolution, and are aware of the PR on GitHub.

 

They are likely going to ship an up-to-date version of Indy's main code with Delphi 12 (see disclaimer below!), but whether they include the PR code in some form is unclear at this time. It is a pretty big PR, and is not incorporated into the main code.

 

I suggested maybe putting the PR code into a new package. Marco suggested maybe providing it as an optional add-on via GetIt, but that is something they would have to setup on their end, if at all.

 

Disclaimer: This blog post is based on a pre-release version of the RAD Studio software and it has been written with specific permission by Embarcadero. No feature is committed until the product GA release.

Edited by Remy Lebeau

Share this post

Link to post

Aztec    0

Aztec
Posted

ok great. Thanks for your prompt replies.

 

I will try this and see how I get on.

 

Cheers

Share this post

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go To Topic Listing Indy
×