Jump to content
david_navigator

exception message : Error connecting with SSL. EOF was observed that violates the protocol.

Recommended Posts

One of my customer's has started to get this error connecting my app to outlook.office365.com via IMAP. 
He's connecting to port 993 using Implicit TLS.

He says that my app has been working for ages and has just started throwing this error, so I'm assuming that something has changed in the world of Microsoft - yet none of my other customers are reporting the error nor can I find anything online that suggest a change that Microsoft may have rolled out in the past week. 
I get the same error if I try on my PC with his Microsoft credential.

I don't really understand what the error means though to then try and diagnose further what might be going on or settings he needs to look for in his account.

 

Any help much appreciated.

 

David

Share this post


Link to post
Quote

He says that my app has been working for ages and has just started throwing this error, so I'm assuming that something has changed in the world of Microsoft - yet none of my other customers are reporting the error nor can I find anything online that suggest a change that Microsoft may have rolled out in the past week. 

I'm assuming you are using OpenSSL, which version?  Also, what version of the SSL/TLS protocol are you using?

Quote

I get the same error if I try on my PC with his Microsoft credential.

Then you should be able to debug it.  For instance, using Wireshark, you can see the details of the actual SSL/TLS handshake (at least until the connection is encrypted. It takes a few back-and-forths to get that far).  At what stage in the handshake is the server disconnecting?

Quote

I don't really understand what the error means

The error means that the IMAP server is closing its end of the TCP connection while the SSL/TLS handshake is still in progress.  Typically, this happens if the server encounters something it doesn't like in the client's SSL/TLS handshake, and the server decides to bail out without first sending a TLS alert to explain what is wrong.

Edited by Remy Lebeau

Share this post


Link to post
Quote

I'm assuming you are using OpenSSL, which version?  Also, what version of the SSL/TLS protocol are you using?

If you mean the version numbers of libeay32.dll & ssleay32.dll, then they're 1.0.1.3 (1.0.1c) - dated 27/01/2014 !!!

 

Looking at the code below, it looks like 

SSLOptions.Method := sslvTLSv1;
TheImap.UseTLS := utUseImplicitTLS

    if (ComboUseSSL.EditValue <> -1) or (ComboUseTLS.EditValue <> 0) then
    begin
      with IdSSLIOHandlerSocketOpenSSL1 do
      begin
        Name := 'IdSSLIOHandlerSocketOpenSSL1';
        Destination := format('%s:%s', [EditServerHost.text, EditPort.text]); // 'imap.gmail.com:993';
        Host := EditServerHost.text;
        MaxLineAction := maException;
        Port := strtoint(EditPort.text);
        DefaultPort := 0;
        // TIdSSLVersion = (sslvSSLv2, sslvSSLv23, sslvSSLv3, sslvTLSv1,sslvTLSv1_1,sslvTLSv1_2);
        if ComboUseSSL.EditValue <> -1 then // if -1 then just use default which is sslvTLSv1
          SSLOptions.Method := TIdSSLVersion(ComboUseSSL.EditValue)
        else
          SSLOptions.Method := sslvTLSv1;
        SSLOptions.Mode := sslmUnassigned;
        SSLOptions.VerifyMode := [];
        SSLOptions.VerifyDepth := 0;
      end;
      TheImap.IOHandler := IdSSLIOHandlerSocketOpenSSL1;
    end
    else
      TheImap.IOHandler := nil;
    // TIdUseTLS = (
    // utNoTLSSupport,
    // utUseImplicitTLS, // ssl iohandler req, allways tls
    // utUseRequireTLS, // ssl iohandler req, user command only accepted when in tls
    // utUseExplicitTLS // < user can choose to use tls
    // );
    TheImap.UseTLS := TIdUseTLS(ComboUseTLS.EditValue);

 

Quote

 For instance, using Wireshark,....

Thanks. I'll try and set that up and see what I can find.

Share this post


Link to post
3 hours ago, david_navigator said:

If you mean the version numbers of libeay32.dll & ssleay32.dll, then they're 1.0.1.3 (1.0.1c) - dated 27/01/2014 !!!

That is really old version.

3 hours ago, david_navigator said:

SSLOptions.Method := sslvTLSv1;

And that is old deprecated version of TLS. Anything before TLS 1.2 is deprecated.

Edited by Virgo

Share this post


Link to post

You can download the latest DLLs here:

 

https://github.com/IndySockets/OpenSSL-Binaries

and for more info go here:

https://docwiki.embarcadero.com/RADStudio/Sydney/en/Securing_Indy_Network_Connections

 

I would change:

 

SSLOptions.Method := sslvTLSv1;

 

to 

 

 

SSLOptions.Method := sslvTLSv1_2;

 

 

 

Share this post


Link to post

Initial tests show that changing the method thus

 

SSLOptions.Method := sslvTLSv1_2;

fixes the problem. Will do some more testing but looking good 🙂
Will try later versions of the dll's too.

Share this post


Link to post
8 hours ago, david_navigator said:

If you mean the version numbers of libeay32.dll & ssleay32.dll, then they're 1.0.1.3 (1.0.1c) - dated 27/01/2014 !!!

Yes, I do, and that is a VERY old version of OpenSSL, you need to upgrade.  Indy currently supports up to 1.0.2u dated 21/12/2019, which you can find at https://github.com/IndySockets/OpenSSL-Binaries/  Work on supporting 1.1.x is in progress: https://github.com/IndySockets/Indy/pull/299

8 hours ago, david_navigator said:

SSLOptions.Method := sslvTLSv1;

The Method property is deprecated, you should be using the SSLVersions property instead.

 

TLS 1.0 has been (almost) completely phased out of modern servers.  Most modern servers support, if not require, TLS 1.2, so that really should be your minimum going forward nowadays.  You should also have TLS 1.1 enabled as a fallback, just in case, but even that is being phased out as well.

 

To enable multiple TLS versions with the Method property, you would have to set it to sslvSSLv23, which will set the SSLVersions property to all SSL/TLS versions supported by Indy (including SSL 2.0, SSL 3.0, and TLS 1.x), but it is better to use the SSLVersions property directly (ie, don't enable SSL 2.0 and 3.0 anymore), eg:

SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2];

Having multiple TLS versions enabled at a time will allow OpenSSL to negotiate the highest version that both client and server support.

 

That being said, on a side note, you do not need to assign ANY of the following SSLIOHandler properties, as Indy handles them internally for you:

8 hours ago, david_navigator said:

      with IdSSLIOHandlerSocketOpenSSL1 do
      begin
        ...
        Destination := format('%s:%s', [EditServerHost.text, EditPort.text]); // 'imap.gmail.com:993';
        Host := EditServerHost.text;
        ...
        Port := strtoint(EditPort.text);
        DefaultPort := 0;
        ...
      end;

 

Setup the necessary Host/Port only in the client component, ie TIdIMAP4.  The Connect() method will then copy them into the IOHandler as needed.

Edited by Remy Lebeau

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×