exception message : Error connecting with SSL. EOF was observed that violates the protocol.

[david_navigator 12]

One of my customer's has started to get this error connecting my app to outlook.office365.com via IMAP. 
He's connecting to port 993 using Implicit TLS.

He says that my app has been working for ages and has just started throwing this error, so I'm assuming that something has changed in the world of Microsoft - yet none of my other customers are reporting the error nor can I find anything online that suggest a change that Microsoft may have rolled out in the past week. 
I get the same error if I try on my PC with his Microsoft credential.

I don't really understand what the error means though to then try and diagnose further what might be going on or settings he needs to look for in his account.

 

Any help much appreciated.

 

David

[Remy Lebeau 1256]

Quote

He says that my app has been working for ages and has just started throwing this error, so I'm assuming that something has changed in the world of Microsoft - yet none of my other customers are reporting the error nor can I find anything online that suggest a change that Microsoft may have rolled out in the past week. 

I'm assuming you are using OpenSSL, which version?  Also, what version of the SSL/TLS protocol are you using?

Quote

I get the same error if I try on my PC with his Microsoft credential.

Then you should be able to debug it.  For instance, using Wireshark, you can see the details of the actual SSL/TLS handshake (at least until the connection is encrypted. It takes a few back-and-forths to get that far).  At what stage in the handshake is the server disconnecting?

Quote

I don't really understand what the error means

The error means that the IMAP server is closing its end of the TCP connection while the SSL/TLS handshake is still in progress.  Typically, this happens if the server encounters something it doesn't like in the client's SSL/TLS handshake, and the server decides to bail out without first sending a TLS alert to explain what is wrong.

Edited October 21, 2021 by Remy Lebeau

[david_navigator 12]

Quote

I'm assuming you are using OpenSSL, which version?  Also, what version of the SSL/TLS protocol are you using?

If you mean the version numbers of libeay32.dll & ssleay32.dll, then they're 1.0.1.3 (1.0.1c) - dated 27/01/2014 !!!

 

Looking at the code below, it looks like 

SSLOptions.Method := sslvTLSv1;
TheImap.UseTLS := utUseImplicitTLS

    if (ComboUseSSL.EditValue <> -1) or (ComboUseTLS.EditValue <> 0) then
    begin
      with IdSSLIOHandlerSocketOpenSSL1 do
      begin
        Name := 'IdSSLIOHandlerSocketOpenSSL1';
        Destination := format('%s:%s', [EditServerHost.text, EditPort.text]); // 'imap.gmail.com:993';
        Host := EditServerHost.text;
        MaxLineAction := maException;
        Port := strtoint(EditPort.text);
        DefaultPort := 0;
        // TIdSSLVersion = (sslvSSLv2, sslvSSLv23, sslvSSLv3, sslvTLSv1,sslvTLSv1_1,sslvTLSv1_2);
        if ComboUseSSL.EditValue <> -1 then // if -1 then just use default which is sslvTLSv1
          SSLOptions.Method := TIdSSLVersion(ComboUseSSL.EditValue)
        else
          SSLOptions.Method := sslvTLSv1;
        SSLOptions.Mode := sslmUnassigned;
        SSLOptions.VerifyMode := [];
        SSLOptions.VerifyDepth := 0;
      end;
      TheImap.IOHandler := IdSSLIOHandlerSocketOpenSSL1;
    end
    else
      TheImap.IOHandler := nil;
    // TIdUseTLS = (
    // utNoTLSSupport,
    // utUseImplicitTLS, // ssl iohandler req, allways tls
    // utUseRequireTLS, // ssl iohandler req, user command only accepted when in tls
    // utUseExplicitTLS // < user can choose to use tls
    // );
    TheImap.UseTLS := TIdUseTLS(ComboUseTLS.EditValue);

 

Quote

 For instance, using Wireshark,....

Thanks. I'll try and set that up and see what I can find.

[Virgo 16]

3 hours ago, david_navigator said:

If you mean the version numbers of libeay32.dll & ssleay32.dll, then they're 1.0.1.3 (1.0.1c) - dated 27/01/2014 !!!

That is really old version.

3 hours ago, david_navigator said:

SSLOptions.Method := sslvTLSv1;

And that is old deprecated version of TLS. Anything before TLS 1.2 is deprecated.

Edited October 22, 2021 by Virgo

[DaveW 1]

You can download the latest DLLs here:

 

https://github.com/IndySockets/OpenSSL-Binaries

and for more info go here:

https://docwiki.embarcadero.com/RADStudio/Sydney/en/Securing_Indy_Network_Connections

 

I would change:

 

SSLOptions.Method := sslvTLSv1;

 

to 

 

 

SSLOptions.Method := sslvTLSv1_2;

 

 

 

[david_navigator 12]

Initial tests show that changing the method thus

 

SSLOptions.Method := sslvTLSv1_2;

fixes the problem. Will do some more testing but looking good 🙂
Will try later versions of the dll's too.

[Remy Lebeau 1256]

8 hours ago, david_navigator said:

If you mean the version numbers of libeay32.dll & ssleay32.dll, then they're 1.0.1.3 (1.0.1c) - dated 27/01/2014 !!!

Yes, I do, and that is a VERY old version of OpenSSL, you need to upgrade.  Indy currently supports up to 1.0.2u dated 21/12/2019, which you can find at https://github.com/IndySockets/OpenSSL-Binaries/  Work on supporting 1.1.x is in progress: https://github.com/IndySockets/Indy/pull/299

8 hours ago, david_navigator said:

SSLOptions.Method := sslvTLSv1;

The Method property is deprecated, you should be using the SSLVersions property instead.

 

TLS 1.0 has been (almost) completely phased out of modern servers.  Most modern servers support, if not require, TLS 1.2, so that really should be your minimum going forward nowadays.  You should also have TLS 1.1 enabled as a fallback, just in case, but even that is being phased out as well.

 

To enable multiple TLS versions with the Method property, you would have to set it to sslvSSLv23, which will set the SSLVersions property to all SSL/TLS versions supported by Indy (including SSL 2.0, SSL 3.0, and TLS 1.x), but it is better to use the SSLVersions property directly (ie, don't enable SSL 2.0 and 3.0 anymore), eg:

SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2];

Having multiple TLS versions enabled at a time will allow OpenSSL to negotiate the highest version that both client and server support.

 

That being said, on a side note, you do not need to assign ANY of the following SSLIOHandler properties, as Indy handles them internally for you:

8 hours ago, david_navigator said:

      with IdSSLIOHandlerSocketOpenSSL1 do
      begin
        ...
        Destination := format('%s:%s', [EditServerHost.text, EditPort.text]); // 'imap.gmail.com:993';
        Host := EditServerHost.text;
        ...
        Port := strtoint(EditPort.text);
        DefaultPort := 0;
        ...
      end;

 

Setup the necessary Host/Port only in the client component, ie TIdIMAP4.  The Connect() method will then copy them into the IOHandler as needed.

Edited October 22, 2021 by Remy Lebeau

[Edwin Yip 154]

On 10/22/2021 at 8:11 PM, Virgo said:

That is really old version.

And that is old deprecated version of TLS. Anything before TLS 1.2 is deprecated.

Thanks! Changing to  `TIdSSLIOHandlerSocketOpenSSL.SSLOptions.Method := sslvTLSv1_2;` fixed a "EIdOSSLConnectError: Error connecting with SSL.  EOF was observed that violates the protocol " error for me too!