Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Email step fails on servers with self-signed certificate even though SSL is not enabled #5584

Closed
hnrkndrssn opened this issue May 23, 2019 · 8 comments

Comments

@hnrkndrssn
Copy link

commented May 23, 2019

Are you a customer of Octopus Deploy? Don't raise the issue here. Please contact our support team so we can triage your issue, making sure it's handled appropriately.

Prerequisites

  • I have verified the problem exists in the latest version
  • I have searched open and closed issues to make sure it isn't already reported
  • I have written a descriptive issue title
  • I have linked the original source of this report
  • I have tagged the issue appropriately (area/*, kind/bug, tag/regression?)

The bug

Sending emails via SMTP server that does not support TLS fails with TLS error even when it's configured to not use SSL. This used to work, but after the switch to MailKit it has started failing.

What I expected to happen

Sending emails via SMTP server that does not support TLS succeeds.

Screen capture

image

Log exerpt

`An error occurred while attempting to establish an SSL or TLS connection.
                    |     The SSL certificate presented by the server is not trusted by the system for one or more of the following reasons:
                    |     1. The server is using a self-signed certificate which cannot be verified.
                    |     2. The local system is missing a Root or Intermediate certificate needed to verify the server's certificate.
                    |     3. The certificate presented by the server is expired or invalid.
                    |     See https://github.com/jstedfast/MailKit/blob/master/FAQ.md#InvalidSslCertificate for possible solutions.
                    |     The remote certificate is invalid according to the validation procedure.'

Affected versions

Octopus Server: 2019.5.4

Workarounds

Links

Support ticket (private): https://secure.helpscout.net/conversation/857793054/44943?folderId=571729
Slack conversation (private): https://octopusdeploy.slack.com/archives/CG4JP65N2/p1558421704473800

@hnrkndrssn hnrkndrssn self-assigned this May 23, 2019
@hnrkndrssn hnrkndrssn changed the title Email step fails on servers that don't support TLS even when SSL is not enabled Email step fails on servers with self-signed certificate even though SSL is not enabled May 26, 2019
@hnrkndrssn

This comment has been minimized.

Copy link
Author

commented May 26, 2019

@hnrkndrssn hnrkndrssn closed this May 27, 2019
@octoreleasebot octoreleasebot added this to the 2019.5.5 milestone May 27, 2019
@octoreleasebot

This comment has been minimized.

Copy link

commented May 27, 2019

Release Note: Fixed bug where emails fail due to certificate error when SSL/TLS is disabled in SMTP configuration

@matt-richardson matt-richardson added this to the 2019.5.5 milestone May 27, 2019
@hnrkndrssn

This comment has been minimized.

Copy link
Author

commented Jun 5, 2019

Re-opening this ticket as we have had a number of reports that emails still fail but this time when using O365 as SMTP server
Tickets (private links):

@hnrkndrssn hnrkndrssn reopened this Jun 5, 2019
@hnrkndrssn hnrkndrssn closed this Jun 7, 2019
@hnrkndrssn hnrkndrssn modified the milestones: 2019.5.5, 2019.5.9 Jun 7, 2019
@hnrkndrssn

This comment has been minimized.

Copy link
Author

commented Jun 7, 2019

Release Note: If SMTP is configured to use SSL/TLS and initial connection using SSL fails, we try to connect using TLS instead. If SMTP is not configured to use SSL/TLS we intially try to connect using TLS but if that fails we connect using an insecure connection.

@hnrkndrssn hnrkndrssn modified the milestones: 2019.5.9, 2019.5.11 Jun 14, 2019
@samrueby

This comment has been minimized.

Copy link

commented Jun 24, 2019

Hello, I saw in the release notes:

we intially try to connect using TLS but if that fails we connect using an insecure connection.

And we would just like some confidence that this isn't a security issue. For example, an attacker performing a MITM attack causes the connection to fail and be retried insecurely, allowing them to read the credentials on the second pass.

@hnrkndrssn

This comment has been minimized.

Copy link
Author

commented Jun 24, 2019

Hi @samrueby,

If you have configured your SMTP configuration to use SSL/TLS we will first try to connect using an SSL-wrapped connection, and if that fails we will fallback to a TLS-wrapped connection.

If you've configured your SMTP configuration to not use SSL/TLS we will first try to connect using a TLS-wrapped connection, and if that fails we will fallback to an insecure connection.

I hope that helps.

Cheers,
Henrik

@samrueby

This comment has been minimized.

Copy link

commented Jun 26, 2019

I understand, I misunderstood what the release note was saying. Thank you

@lock

This comment has been minimized.

Copy link

commented Sep 24, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. If you think you've found a related issue, please contact our support team so we can triage your issue, and make sure it's handled appropriately.

@lock lock bot locked as resolved and limited conversation to collaborators Sep 24, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
4 participants
You can’t perform that action at this time.