david_navigator 12 Posted October 21, 2021 One of my customer's has started to get this error connecting my app to outlook.office365.com via IMAP. He's connecting to port 993 using Implicit TLS. He says that my app has been working for ages and has just started throwing this error, so I'm assuming that something has changed in the world of Microsoft - yet none of my other customers are reporting the error nor can I find anything online that suggest a change that Microsoft may have rolled out in the past week. I get the same error if I try on my PC with his Microsoft credential. I don't really understand what the error means though to then try and diagnose further what might be going on or settings he needs to look for in his account. Any help much appreciated. David Share this post Link to post
Remy Lebeau 1436 Posted October 21, 2021 (edited) Quote He says that my app has been working for ages and has just started throwing this error, so I'm assuming that something has changed in the world of Microsoft - yet none of my other customers are reporting the error nor can I find anything online that suggest a change that Microsoft may have rolled out in the past week. I'm assuming you are using OpenSSL, which version? Also, what version of the SSL/TLS protocol are you using? Quote I get the same error if I try on my PC with his Microsoft credential. Then you should be able to debug it. For instance, using Wireshark, you can see the details of the actual SSL/TLS handshake (at least until the connection is encrypted. It takes a few back-and-forths to get that far). At what stage in the handshake is the server disconnecting? Quote I don't really understand what the error means The error means that the IMAP server is closing its end of the TCP connection while the SSL/TLS handshake is still in progress. Typically, this happens if the server encounters something it doesn't like in the client's SSL/TLS handshake, and the server decides to bail out without first sending a TLS alert to explain what is wrong. Edited October 21, 2021 by Remy Lebeau Share this post Link to post
david_navigator 12 Posted October 22, 2021 Quote I'm assuming you are using OpenSSL, which version? Also, what version of the SSL/TLS protocol are you using? If you mean the version numbers of libeay32.dll & ssleay32.dll, then they're 1.0.1.3 (1.0.1c) - dated 27/01/2014 !!! Looking at the code below, it looks like SSLOptions.Method := sslvTLSv1; TheImap.UseTLS := utUseImplicitTLS if (ComboUseSSL.EditValue <> -1) or (ComboUseTLS.EditValue <> 0) then begin with IdSSLIOHandlerSocketOpenSSL1 do begin Name := 'IdSSLIOHandlerSocketOpenSSL1'; Destination := format('%s:%s', [EditServerHost.text, EditPort.text]); // 'imap.gmail.com:993'; Host := EditServerHost.text; MaxLineAction := maException; Port := strtoint(EditPort.text); DefaultPort := 0; // TIdSSLVersion = (sslvSSLv2, sslvSSLv23, sslvSSLv3, sslvTLSv1,sslvTLSv1_1,sslvTLSv1_2); if ComboUseSSL.EditValue <> -1 then // if -1 then just use default which is sslvTLSv1 SSLOptions.Method := TIdSSLVersion(ComboUseSSL.EditValue) else SSLOptions.Method := sslvTLSv1; SSLOptions.Mode := sslmUnassigned; SSLOptions.VerifyMode := []; SSLOptions.VerifyDepth := 0; end; TheImap.IOHandler := IdSSLIOHandlerSocketOpenSSL1; end else TheImap.IOHandler := nil; // TIdUseTLS = ( // utNoTLSSupport, // utUseImplicitTLS, // ssl iohandler req, allways tls // utUseRequireTLS, // ssl iohandler req, user command only accepted when in tls // utUseExplicitTLS // < user can choose to use tls // ); TheImap.UseTLS := TIdUseTLS(ComboUseTLS.EditValue); Quote For instance, using Wireshark,.... Thanks. I'll try and set that up and see what I can find. Share this post Link to post
Virgo 18 Posted October 22, 2021 (edited) 3 hours ago, david_navigator said: If you mean the version numbers of libeay32.dll & ssleay32.dll, then they're 1.0.1.3 (1.0.1c) - dated 27/01/2014 !!! That is really old version. 3 hours ago, david_navigator said: SSLOptions.Method := sslvTLSv1; And that is old deprecated version of TLS. Anything before TLS 1.2 is deprecated. Edited October 22, 2021 by Virgo 1 Share this post Link to post
DaveW 1 Posted October 22, 2021 You can download the latest DLLs here: https://github.com/IndySockets/OpenSSL-Binaries and for more info go here: https://docwiki.embarcadero.com/RADStudio/Sydney/en/Securing_Indy_Network_Connections I would change: SSLOptions.Method := sslvTLSv1; to SSLOptions.Method := sslvTLSv1_2; 1 Share this post Link to post
david_navigator 12 Posted October 22, 2021 Initial tests show that changing the method thus SSLOptions.Method := sslvTLSv1_2; fixes the problem. Will do some more testing but looking good 🙂 Will try later versions of the dll's too. Share this post Link to post
Remy Lebeau 1436 Posted October 22, 2021 (edited) 8 hours ago, david_navigator said: If you mean the version numbers of libeay32.dll & ssleay32.dll, then they're 1.0.1.3 (1.0.1c) - dated 27/01/2014 !!! Yes, I do, and that is a VERY old version of OpenSSL, you need to upgrade. Indy currently supports up to 1.0.2u dated 21/12/2019, which you can find at https://github.com/IndySockets/OpenSSL-Binaries/ Work on supporting 1.1.x is in progress: https://github.com/IndySockets/Indy/pull/299 8 hours ago, david_navigator said: SSLOptions.Method := sslvTLSv1; The Method property is deprecated, you should be using the SSLVersions property instead. TLS 1.0 has been (almost) completely phased out of modern servers. Most modern servers support, if not require, TLS 1.2, so that really should be your minimum going forward nowadays. You should also have TLS 1.1 enabled as a fallback, just in case, but even that is being phased out as well. To enable multiple TLS versions with the Method property, you would have to set it to sslvSSLv23, which will set the SSLVersions property to all SSL/TLS versions supported by Indy (including SSL 2.0, SSL 3.0, and TLS 1.x), but it is better to use the SSLVersions property directly (ie, don't enable SSL 2.0 and 3.0 anymore), eg: SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2]; Having multiple TLS versions enabled at a time will allow OpenSSL to negotiate the highest version that both client and server support. That being said, on a side note, you do not need to assign ANY of the following SSLIOHandler properties, as Indy handles them internally for you: 8 hours ago, david_navigator said: with IdSSLIOHandlerSocketOpenSSL1 do begin ... Destination := format('%s:%s', [EditServerHost.text, EditPort.text]); // 'imap.gmail.com:993'; Host := EditServerHost.text; ... Port := strtoint(EditPort.text); DefaultPort := 0; ... end; Setup the necessary Host/Port only in the client component, ie TIdIMAP4. The Connect() method will then copy them into the IOHandler as needed. Edited October 22, 2021 by Remy Lebeau 1 Share this post Link to post
Edwin Yip 154 Posted February 12, 2023 On 10/22/2021 at 8:11 PM, Virgo said: That is really old version. And that is old deprecated version of TLS. Anything before TLS 1.2 is deprecated. Thanks! Changing to `TIdSSLIOHandlerSocketOpenSSL.SSLOptions.Method := sslvTLSv1_2;` fixed a "EIdOSSLConnectError: Error connecting with SSL. EOF was observed that violates the protocol " error for me too! Share this post Link to post