Gmail smtp Hostname does not match the server certificate - ssl

I'm having an error with gmail gem while trying to send a mail, this is working fine on local, and was working fine on heroku, but now im moving this app to a VPS server. This is the error:
e = g.compose do
to 'test#gmail.com'
subject 'testasea'
body 'test'
end
=> #<Mail::Message:25450040, Multipart: false, Headers: <From: .......>
e.deliver!
=> OpenSSL::SSL::SSLError: hostname does not match the server certificate
I've added this into an initializer file, without any luck:
ActionMailer::Base.smtp_settings = {
:enable_starttls_auto => true,
:openssl_verify_mode => 'none' # I've tested with 0 and false,
}
I tried to monkey path the class
OpenSSL::SSL::SSLSocket.class_eval do
def post_connection_check(hostname)
return true
end
end
with no luck, when I do that i receive a 535 Incorrect authentication data, however I know data is ok because i can do
g.inbox.count :read
And it returns me the right number.
I would like to know:
the incorrect certificate is the one my server (smtp client) is sending? or the one that is received by gmail smtp server?
why it works in local?
Why if i monkey path the class I received an authentication error?
Is there any workaround? i dont care if is not safe, is just a tenting application,.

This is only a guess, but if you are in a WHM VPS there is a function that restricts outgoing SMTP connections, you can find it in Tweak Settings.
Restrict outgoing SMTP to root, exim, and mailman (FKA SMTP Tweak)
It redirects all SMTP connections, If this is enabled you will receive your server self-signed ssl certificate, and if you bypass it using the monkey patch or setting configuration to dont check ssl certificate you will probably found an authentication error as you are in fact connecting to the LOCAL SMTP server.
Just disable it and test again.

Related

Python's default SSL certificate context not working in requests method when behind proxy, works fine otherwise

I have the below function in my code, which works perfectly fine when I'm not behind any proxy. In fact, without even mentioning the certifi default CA certificate, it works fine if I pass verify=TRUE, I guess, because it works in the same way.
def reverse_lookup(lat, long):
cafile=certifi.where()
params={'lat' : float(lat), 'lon' : float(long), 'format' : 'json',
'accept-language' : 'en', 'addressdetails' : 1}
response = requests.get("https://nominatim.openstreetmap.org/reverse", params=params, verify=cafile)
#response = requests.get("https://nominatim.openstreetmap.org/reverse", params=params, verify=True) <-- this works as well
result = json.loads(response.text)
return result['address']['country'], result['address']['state'], result['address']['city']
When I run the same code from within my enterprise infrastructure (where I'm behind proxy), I make some minor changes in the code mentioning the proxy as parameter in requests method:
def reverse_lookup(lat, long):
cafile=certifi.where()
proxies = {"https" : "https://myproxy.com"}
params={'lat' : float(lat), 'lon' : float(long), 'format' : 'json',
'accept-language' : 'en', 'addressdetails' : 1}
response = requests.get("https://nominatim.openstreetmap.org/reverse", params=params, verify=cafile, proxies=proxies)
result = json.loads(response.text)
return result['address']['country'], result['address']['state'], result['address']['city']
But it gives me one out of these 3 SSL errors at different times, if I set verify=True or verify=certifi.where():
CERTIFICATE_VERIFY_FAILED
UNKNOWN_PROTOCOL
WRONG_VERSION_NUMBER
Only time it works is when I completely bypass the SSL verification with verify=False
My questions are:
Since I'm sending the https request via proxy, is it ok if I bypass SSL verification ?
How to make the default context of SSL verification work in this case, when I'm behind proxy ?
Any help is appreciated. Code tested in both Python 2.7.15 and 3.9
Since I'm sending the https request via proxy, is it ok if I bypass SSL verification ?
Do you need the protection offered by HTTPS, i.e. encryption of the application data (like passwords, but also the full URL) to protect against sniffing or modifications by a malicious man in the middle? If you don't need the protection, then you can bypass certificate validation.
How to make the default context of SSL verification work in this case, when I'm behind proxy ?
The proxy is doing SSL interception and when doing this issues a new certificate for this site based on an internal CA. If this is expected (i.e. not an attack) then you need to import the CA from the proxy as trusted with verify='proxy-ca.pem'. Your IT department should be able to provide you with the proxy CA.
But it gives me one out of these 3 SSL errors at different times, if I
set verify=True or verify=certifi.where():
CERTIFICATE_VERIFY_FAILED
UNKNOWN_PROTOCOL
WRONG_VERSION_NUMBER
It should only give you CERTIFICATE_VERIFY_FAILED. The two other errors indicate wrong proxy settings, typically setting https_proxy to https://... instead of http://... (which also can be seen in your code).

Roundcube SSL connection IMAP Error: Login failed

This is probably a reoccurring problem, where you are unable to Login to Roundcube (Connection to storage server failed), due to an IMAP (ssl) connection error.
Many Posts reports this as an IMAP issue, and tells you that this is due to the config/config.inc.php Imap configuration, but are failing to give any proper debugging of the IMAP.
So, this is another post, of the same problem : Unresolved.
Roundcube reports this error:
IMAP Error: Login failed for user#myserver.com against host.myserver.com from IP_ADDRESS. Could not
connect to ssl://host.myserver.com:993: Unknown reason in
../lib/Roundcube/rcube_imap.php on line 200 (POST /webmail/?_task=login&_action=login)
I tried this to check if ssl connection to imap was possible:
openssl s_client -connect host.myserver.com:993
And I am able to connect to the IMAP with ssl, but connection ends with :
BYE Too many invalid IMAP commands.
So ... it seem that the ssl certificate is valid, and I am able to connect on port 993.
Roundcube still reports an Unknown reason for not connecting properly.
The certificate was generated by the ./mkcert.sh bash script, where you can enter the proper hostname of your server, to be included in the certificate.
After a lot of debugging, and no proper debugging methodology I found the easy solution, by bypassing ssl verification.
A stupid solution:
$config['imap_conn_options'] = array(
'ssl' => array(
'verify_peer' => false,
'verfify_peer_name' => false,
),
);
$config['smtp_conn_options'] = array(
'ssl' => array(
'verify_peer' => false,
'verify_peer_name' => false,
),
);
Do anyone have some suggestions for the next thing to try
Thanks!

Bind secure server and authentification

I would make a secure server, I have follow this tutorial.
It work, but I would know how I can use .p12 certificate or .cer.
And when I 'bindSecure' my server, I request a certificate. But when I try to connect, after have choose a client certificate, I get an error (net::ERR_SSL_PROTOCOL_ERROR). I did something wrong ?
if (!args.contains('--setup'))
SecureSocket.initialize(database: config['SSLpath'], password: config['SSLpass']);
HttpServer.bindSecure(config['Host'], config['SSLport'], certificateName: config['SSLname'], requestClientCertificate: true).then((server) {
getRoute(server, _virDir);
}).catchError((e) => throw "An error occured: ${e}.");
I use keychain on Mac OS for generating certificate.

SSLCaertBadFile error heroku curb

I have a rake task that pulls and parses JSON data over an SSL connection from an external API.
I use a gem that wraps this external API and have no problems running locally, but the task fails when run on heroku with #<Curl::Err::SSLCaertBadFile: Curl::Err::SSLCaertBadFile>
I installed the piggyback SSL add-on, hoping it might fix it, but no dice.
Any ideas?
UPDATE
I managed to fix it by disabling ssl verification on the curl request previously set by the following two fields:
request.ssl_verify_peer
request.ssl_verify_host
I don't know enough about SSL to know exactly why the error was caused by these settings in a heroku environment or what the implications of disabling this are, aside from reduced security.
It is a bad idea to disable certificate checking. See http://www.rubyinside.com/how-to-cure-nethttps-risky-default-https-behavior-4010.html, http://jamesgolick.com/2011/2/15/verify-none..html and associated references for more on that topic.
The issue is that your HTTP client doesn't know where to find the CA certificates bundle on heroku.
You don't mention what client you are using, but here is an example for using net/https on heroku:
require "net/https"
require "uri"
root_ca_path = "/etc/ssl/certs"
url = URI.parse "https://example.com"
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = (url.scheme == "https")
if (File.directory?(root_ca_path) && http.use_ssl?)
http.ca_path = root_ca_path
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.verify_depth = 5
end
request = Net::HTTP::Get.new(url.path)
response = http.request(request)
Here is an example using Faraday:
Faraday.new "https://example.com", ssl: { ca_path: "/etc/ssl/certs" }
Good luck.

mail() in lampp doesn't work

I'm trting to send a simple mail script in PHP. It doesn't work and I have no error in mail log or error log.
Here's my php.ini config
SMTP = relais.videotron.ca
smtp_port = 25
sendmail_from = xxxx#xxxx.com (Of cours it's my ISP email there :D)
sendmail_path = /usr/sbin/sendmail -i -t
and my simple mail() test
mail("xxxx#xxxx.com","test","test");
Nothing's work. What could it be?
The built-in PHP mail command doesn't allow you to authenticate to an SMTP server. Your ISP SMTP server requires authentication and so is refusing the connection.
The info provided by your ISP confirms this;
SMTP server is accessible from an external network by using clear text
authentication using your code "VL" or alias for your mail Example:
customer#videotron.ca
Your options are either use an SMTP server that allows anonymous connections or (as Eamorr says) use a mailer class.
I use SwiftMailer:
require_once('../lib/swiftMailer/lib/swift_required.php');
...
function sendEmail(){
//Sendmail
$transport = Swift_SendmailTransport::newInstance('/usr/sbin/sendmail -bs');
//Create the Mailer using your created Transport
$mailer = Swift_Mailer::newInstance($transport);
$body="Dear $fname,\n\nYour job application was successful. \n\nYours,\n\nEamorr\n\n\n\n\n\n\n";
//Create a message
$message = Swift_Message::newInstance('Subject goes here')
->setFrom(array($email => "no-reply#yourdomain.com"))
->setTo(array($email => "$fname $lname"))
->setBody($body);
//Send the message
$result = $mailer->send($message);
}
You can send both plaintext and html email with ease.