Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
IdSMTP failed to connect using SSL
#1
Back in 2018-2019 I wrote a commit emailer for our SVN server using Lazarus/FPC and Indy 10.6.2.
It retrieves the data from SVN and packages it into a message sent to the subscribed developers using a mailserver on my ISP.
I have created a specific email account on the ISP for this purpose and this requires SSL login for sending which is done using the code below.

The mailer has worked flawlessly for all the time since then until mid-December 2023 when the emails stopped coming.
Now I have finally found the logfiles for the mailer and this is what is reported upon each sending:
Code:
20240111 17:13:35.343 Connecting to mailserver
20240111 17:13:36.590 EXCEPTION: In SendSvnMessage = Error connecting with SSL.
error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version

So it seems to be a problem with SSL negotiations here and now I am at a loss as to where I can start finding the reason for this and a solution.

The actual code where the sending is done looks like this:

Code:
constructor TSvnMessage.Create;
begin
  FSvnUsers := TSvnUsers.Create;
  FSubscription := TStringList.Create;
  FSMTP := TIdSMTP.Create(nil);
  FSSLHandler := TIdSSLIOHandlerSocketOpenSSL.Create(nil);
  FMailMessage := TIdMessage.Create(nil);
end;

function TSvnMessage.SendSvnMessage: boolean;
var
  sSubject: string;
  i: integer;
begin
  Result := false;
  try
    PrepareMessage;
    if (FMailMessage.Sender.Address = '') and (FMailMessage.From.Address = '') then
    begin
      LogError('No sender! Cannot send email!');
      exit;
    end;
    if FMailMessage.Recipients.Count = 0 then
    begin
      LogError('No recipients! Cannot send email!');
      exit;
    end;
    //Set up the SMTP transfer properties
    FSMTP.Port := FMailPort;
    FSMTP.Host := FMailServer;
    FSMTP.AuthType := satDefault;
    FSMTP.Username := FMailLogin;
    FSMTP.Password := FMailPwd;
    FSMTP.MailAgent := 'SVNMailer';
    if FMailUseSSL then
    begin
      FSMTP.IOHandler := FSSLHandler;
      FSMTP.UseTLS := utUseImplicitTLS;
      FSSLHandler.Port := FMailPort;
    end;
    FSMTP.ConnectTimeout := FMailTimeout;

    //Check message subject for illegal chars
    if Length(FMailMessage.Subject) > 76 then
    begin
      sSubject := FMailMessage.Subject;
      for i := 1 to Length(sSubject) do
      begin
        if Ord(sSubject[i]) > 127 then
          sSubject[i] := '?';
      end;
      FMailMessage.Subject := sSubject;
    end;

    //Now send message
    Log('Connecting to mailserver');
    FSMTP.Connect;
    if FSMTP.Connected then
    begin
      Log('Sending message');
      FSMTP.Send(FMailMessage);
      Log('Send done');
      FSMTP.Disconnect();
      Result := true;
    end;
  except
    on E: Exception do
    begin
      LogException('In SendSvnMessage = ' + E.Message);
    end;
  end;
end;

Since it has worked for these many years there must be some change either in the Windows Server 2016 where it runs or else in the mail server configuration, but where should I start looking?

For instance if the mail server requires a later version of SSL, how can I fix that in my program?

Note:
This is the same problem I was looking for a work-around to and asked here about earlier.
See thread Change report from send email to post to a php handler
I'd rather have the modification done in the existing mailer than going that route, though...
Reply
#2
On googling the error code I found this thread on Atozed about SSL, which also deals with SSL version errors, but using Delphi instead of Lazarus/FreePascal.

The solution seems to be to install a later version of the Indy10 package, is this the only thing needed?

I now have Lazarus 2.2.4 / Fpc 3.2.2 on Windows 10 with Indy10.6.4089 installed via OnLine Package Manager.

I have no clue as to what level of SSL the combination of Lazarus/Fpc/Indy10 used back in 2018, but now I wonder if just rebuilding the project using this newer dev tool versions can be expected to fix the problem?

The existing version of the mailer was built on Windows7 in 2018 before I switched laptop....

LATER
I made the test now by rebuilding the mailer application using Lazarus 2.2.4/Fpc 3.2.2 on Windows 10 x64.

But still the same SSL error when I make a commit on Subversion.
So the rebuild with a more up-to-date version of Indy10 did not help to correct the problem.

What can I do now?
Is there some extra logging I can check?
Reply
#3
(01-13-2024, 07:55 AM)BosseB Wrote:
Code:
20240111 17:13:36.590 EXCEPTION: In SendSvnMessage = Error connecting with SSL.
error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version

You are trying to connect using a TLS version that the server does not allow.

(01-13-2024, 07:55 AM)BosseB Wrote: The actual code where the sending is done looks like this:

You are not configuring any TLS versions on the TIdSSLIOHandlerSocketOpenSSL.  By default, it uses only TLS 1.0 (see this ticket).  The server has likely been updated to require TLS 1.1 or even TLS 1.2 now.  So try adding this:

Code:
FSSLHandler := TIdSSLIOHandlerSocketOpenSSL.Create(nil);
FSSLHandler.SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2]; // <-- HERE

Reply
#4
(01-13-2024, 09:34 AM)BosseB Wrote: LATER
I made the test now by rebuilding the mailer application using Lazarus 2.2.4/Fpc 3.2.2 on Windows 10 x64.

But still the same SSL error when I make a commit on Subversion.
So the rebuild with a more up-to-date version of Indy10 did not help to correct the problem.

What can I do now?
Is there some extra logging I can check?

(01-14-2024, 02:58 AM)rlebeau Wrote:
(01-13-2024, 07:55 AM)BosseB Wrote:
Code:
20240111 17:13:36.590 EXCEPTION: In SendSvnMessage = Error connecting with SSL.
error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version

You are trying to connect using a TLS version that the server does not allow.

(01-13-2024, 07:55 AM)BosseB Wrote: The actual code where the sending is done looks like this:

You are not configuring any TLS versions on the TIdSSLIOHandlerSocketOpenSSL.  By default, it uses only TLS 1.0 (see this ticket).  The server has likely been updated to require TLS 1.1 or even TLS 1.2 now.  So try adding this:

Code:
FSSLHandler := TIdSSLIOHandlerSocketOpenSSL.Create(nil);
FSSLHandler.SSLOptions.SSLVersions := [sslvTLSv1, sslvTLSv1_1, sslvTLSv1_2]; // <-- HERE

THANK YOU SO MUCH!!! Heart   Smile

This solved the problem and the emails are now getting through!
So now I can get to bed without worrying how to get it to work or invent a different method somehow.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)