Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL connection options #298

Open
saleyn opened this issue Nov 2, 2021 · 9 comments
Open

SSL connection options #298

saleyn opened this issue Nov 2, 2021 · 9 comments

Comments

@saleyn
Copy link

saleyn commented Nov 2, 2021
edited
Loading

How do you stop getting the following warning when sending SSL/TLS emails?

=WARNING REPORT==== 2-Nov-2021::10:01:45.493673 ===                                                                                                                        
Description: "Authenticity is not established by certificate path validation"                                                                                              
     Reason: "Option {verify, verify_peer} and cacertfile/cacerts is missing"

I am providing the tls_options, but it doesn't look like they have any effect:

gen_smtp_client:send({FromEmail, [ToEmail], <<"Subject: Test\r\nFrom: XXX\r\nTo: XXX\r\n\r\nTest body of this email\r\n">>}, [{relay, <<"smtp.gmail.com">>},{port, 587},{username,XXXX},{password,XXXX},{tls_options,[{verify, verify_peer},{cacertfile, "/etc/ssl/cert.pem"},{depth, 3}]}]).
@seriyps
Copy link
Collaborator

seriyps commented Nov 2, 2021

Hi. Does gen_smtp version you are using include this patch #274? We used to filter-out all the non-whitelisted TLS options before.

@saleyn
Copy link
Author

saleyn commented Nov 2, 2021

I am running the version d012840, which is more recent than the dd7a000 commit with #274.

@cw789
Copy link
Contributor

cw789 commented Nov 17, 2021

The EUnit tests within CI do also emit a lot of the same warnings. But only on OTP 24.

@seriyps
Copy link
Collaborator

seriyps commented Nov 18, 2021
edited
Loading

It makes sense that CI emits those warnings, because we don't provide any {verify, verify_peer} in our tests and the ssl warning was only introduced in OTP-24.
I'm sorry, I currently don't have time to look into this.

@mworrell
Copy link
Collaborator

I saw an OTP 24.1.6 update passing by that apparently addresses this issue.

 OTP-17757    Application(s): ssl
              Related Id(s): GH-5352, PR-5395

              Suppress authenticity warning when option verify_none
              is explicitly supplied.

@cw789
Copy link
Contributor

cw789 commented Apr 15, 2022

So I had my first deep look into gen_smtp and this issue.
As I'm not confident I want do discuss my findings.

First of all I would need to inject the following options into the SocketOpts (line linked below).
{verify, verify_peer}, {cacertfile, "my_path/cacerts.pem"}, {depth, 3}, {server_name_indication, disable}

gen_smtp/src/gen_smtp_client.erl

Line 798 in 99fad81

SockOpts = [binary, {packet, line}, {keepalive, true}, {active, false} | AddSockOpts],

Without the depth I do get → max_path_length_reached.
Without disabling server_name_indication I do get → hostname_check_failed.
But I've not found the reason nor solution for this one.

Second I will fail at try_STARTSSL:

gen_smtp/src/gen_smtp_client.erl

Lines 741 to 743 in 99fad81

{always, _} ->
quit(Socket),
erlang:throw({missing_requirement, tls});

My mail server seems to not send the STARTSSL extension, even if it does support TLS.
Maybe this is common now, I don't now.

But if I bypass the {always, _} clause and just return {Socket, Extensions}; in there everything seems to be fine.

@eriknaslund
Copy link

I've found two ways of getting rid of the warning when using ssl:connect, by passing in one of the following TLSOptions.

Perform verification of the certificates.

SslOptions = [
    {verify, verify_peer},
    {depth, 10},
    {cacerts, certifi:cacerts()}
],
ssl:connect("example.com", 443, SslOptions).

Just like @cw789 says I too needed {server_name_indication, disable} for some servers, but not all.

Skip verification of certificates, but avoid generating the warning

SslOptions = [
    {verify, verify_none}
],
ssl:connect("example.com", 443, SslOptions).

Just like @saleyn I don't manage to pass in these options through the tls_options parameter for gen_smtp_client:send. It seems like it has no effect at all, i.e. not getting passed on to ssl:connect.

@LostKobrakai
Copy link

Seems like tls_options options are only used for STARTTLS when converting to an ssl connection midway. When using ssl: true passing options to ssl.connect works by passing them via the sockopts key instead.

@LostKobrakai
Copy link

LostKobrakai commented Jan 26, 2023
edited
Loading

I made things work using those settings:

ssl: true,
  tls: :never,
  auth: :always,
  port: 465,
  retries: 2,
  no_mx_lookups: false,
  relay: "dia.uberspace.de",
  username: "…",
  password: "…",
  sockopts: [
    versions: [:"tlsv1.2", :"tlsv1.3"],
    verify: :verify_peer,
    cacerts: :public_key.cacerts_get(),
    depth: 3,
    customize_hostname_check: [
      match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
    ],
    server_name_indication: 'dia.uberspace.de'
  ]

I needed to set tls as disabled or optional because otherwise it seems gen_smtp tries to still do STARTTLS even though the connection is already an SSL/TLS one. I feel like there some hint missing in the docs that tls/tls_options are for STARTTLS only.

Disabling the no_mx_lookups: true also removed the need for the server_name_indication: 'dia.uberspace.de' part, as the host connected to is the host and not an ip address.

@francois2metz francois2metz mentioned this issue Sep 10, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mworrell @saleyn @seriyps @eriknaslund @LostKobrakai @cw789