POP3 SSL with Synapse

[RobA]

Hi all,

I'm having a problem with POP3 / SLL using Synapse. I haven't done any Pascal for years, and have never used Synapse (used to use ICS with Delphi years ago, though) so it's quite possible I'm missing something really basic.

I've tried to follow the example here:
http://synapse.ararat.cz/doku.php/public:howto:pop3samplessl

but made it a little simpler for test purposes. libeay32.dll, ssleay32.dll and msvcr71.dll are in the output directory.

My code is:

Code: [Select]

unit main;

{$mode objfpc}{$H+}

interface

uses
         Classes, SysUtils, FileUtil, Forms, Controls, Graphics, Dialogs,
ExtCtrls, StdCtrls,blcksock, smtpsend, pop3send, ssl_openssl,typinfo;

type

{ TForm1 }

         TForm1 = class(TForm)
  Button1: TButton;
  LabeledEdit1: TLabeledEdit;
  LabeledEdit2: TLabeledEdit;
  LabeledEdit3: TLabeledEdit;
  LabeledEdit4: TLabeledEdit;
  Memo1: TMemo;
  procedure Button1Click(Sender: TObject);
         private
                  { private declarations }
         public
                  { public declarations }
                  procedure SockCallBack (Sender: TObject; Reason:   THookSocketReason; const  Value: string);
         end;

var
         Form1: TForm1;

implementation

{$R *.lfm}

{ TForm1 }

procedure TForm1.SockCallBack (Sender: TObject; Reason:   THookSocketReason; const  Value: string);
     var v: String;
begin
  if (reason=hr_readcount) or
     (reason=hr_writecount) or
     (reason=hr_canread) then
    exit;
  v := getEnumName (typeinfo(THookSocketReason), integer(Reason)) + ' ' + Value;
  Memo1.Lines.Add(v);

end;

procedure TForm1.Button1Click(Sender: TObject);
var
  pop3: TPOP3Send;
  i: integer;
begin
  pop3 := TPOP3Send.Create();
  try
    pop3.Sock.OnStatus := @SockCallBack;
    pop3.AutoTLS := false;
    pop3.Username:=LabeledEdit2.Text;
    pop3.Password:=LabeledEdit3.Text;
    pop3.TargetHost:=LabeledEdit1.Text;
    pop3.TargetPort := LabeledEdit4.Text;
    pop3.FullSSL := true;
    pop3.Sock.SSL.SSLType := LT_SSLv3;

    pop3.Sock.SSLDoConnect();

    pop3.Login();
    pop3.List(0);
    Memo1.Lines.AddStrings(pop3.FullResult);

  finally
    pop3.Free;
  end;
end;

end.

The results written to the memo field are (with actual server addresses removed, obviously!):

Code: [Select]

HR_Error 10091,Network subsystem is unusable
HR_SocketClose
HR_ResolvingBegin mail.xxx:995
HR_ResolvingEnd xxx:995
HR_SocketCreate IPv4
HR_Connect mail.xxx:995
HR_Error 10091,error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
HR_Error 10054,Connection reset by peer
HR_Error 10054,Connection reset by peer
HR_SocketClose

Does anyone have any idea why I'm getting the Network Subsystem is unusable error?

TIA

Rob.

[rvk]

First of all... are you sure the server supports SSLv3?

Second... you need to remove the SSLDoConnect from your code. You have FullSSL set to True, and if you do, the SSLDoConnect is done automatically at connect.

(See the code in pop3send:)

Code: [Select]

function TPOP3Send.Connect: Boolean;
begin
  // Do not call this function! It is calling by LOGIN method!
  FStatCount := 0;
  FStatSize := 0;
  FSock.CloseSocket;
  FSock.LineBuffer := '';
  FSock.Bind(FIPInterface, cAnyPort);
  if FSock.LastError = 0 then
    FSock.Connect(FTargetHost, FTargetPort);
  if FSock.LastError = 0 then
    if FFullSSL then
      FSock.SSLDoConnect;         // <--- here the SSLDoConnect is done automatically if FullSSL = true
  Result := FSock.LastError = 0;
end;

(I'm not sure why it is done so in the example. Maybe from an earlier version where this was not done.)

If this still doesn't work... what version of Synapse are you using? Version 40 is quite old and you should use the ones in svn. They are stable enough.

[Thaddy]

Note in recent OpenSSL, SSLV3 is dropped for security reasons. So if you MUST use SSLV3 - which I highly warn against - use an old version of OpenSSL. SSLV3 is an absolute no-no, except for a local network,maybe.
In the latest (any, not only openssl) crypto libraries, there is even no fall-back to sslv3. Don't use it.

So: Like the advice before: Check if your server supports sslv3! I really hope for your sake  it doesn't.

You can recompile OpenSSL yourself to support it, but I won't do that ever,never. And it is announced they will remove the code in the future.

Try TLS 1.2 instead. Most servers still support a fall-back to sslv2, btw (also compromized, but not nearly as insecure as sslv3). Google on "poodle attack"  and "disable sslv3" and check the write up on wikipedia.

If you don't fully understand crypto issues, just trust me, it is sound advice from an expert.

BTW: (last edit) Synapse supports TLS1.2.
(Absolute last edit) Most recent browsers and email clients have sslv3 disabled by default.

[RobA]

rvk - THANK YOU! I've commented out the SSLType and SSLDoConnect, and now the connection is successful! Been chasing that around for a couple of days now.

I assume that means the SSLType is falling back to a default value? I'll have to dig in the source and see what it is.

Rob.

First of all... are you sure the server supports SSLv3?

Second... you need to remove the SSLDoConnect from your code. You have FullSSL set to True, and if you do, the SSLDoConnect is done automatically at connect.

(See the code in pop3send:)

Code: [Select]

function TPOP3Send.Connect: Boolean;
begin
  // Do not call this function! It is calling by LOGIN method!
  FStatCount := 0;
  FStatSize := 0;
  FSock.CloseSocket;
  FSock.LineBuffer := '';
  FSock.Bind(FIPInterface, cAnyPort);
  if FSock.LastError = 0 then
    FSock.Connect(FTargetHost, FTargetPort);
  if FSock.LastError = 0 then
    if FFullSSL then
      FSock.SSLDoConnect;         // <--- here the SSLDoConnect is done automatically if FullSSL = true
  Result := FSock.LastError = 0;
end;

(I'm not sure why it is done so in the example. Maybe from an earlier version where this was not done.)

If this still doesn't work... what version of Synapse are you using? Version 40 is quite old and you should use the ones in svn. They are stable enough.

[RobA]

Thaddy,

Thanks for that info - no, crypto issues aren't my field, I'm just trying to make a simple POP3 client

As far as I can see, the server doesn't actually support SSLV3, which probably explains part of the problem I was having!

I'll check into TLS as a better option. Some googling is in order here, I can see!

Thanks again,

Rob.

Note in recent OpenSSL, SSLV3 is dropped for security reasons. So if you MUST use SSLV3 - which I highly warn against - use an old version of OpenSSL. SSLV3 is an absolute no-no, except for a local network,maybe.
In the latest (any, not only openssl) crypto libraries, there is even no fall-back to sslv3. Don't use it.

So: Like the advice before: Check if your server supports sslv3! I really hope for your sake  it doesn't.

You can recompile OpenSSL yourself to support it, but I won't do that ever,never. And it is announced they will remove the code in the future.

Try TLS 1.2 instead. Most servers still support a fall-back to sslv2, btw (also compromized, but not nearly as insecure as sslv3). Google on "poodle attack"  and "disable sslv3" and check the write up on wikipedia.

If you don't fully understand crypto issues, just trust me, it is sound advice from an expert.

BTW: (last edit) Synapse supports TLS1.2.
(Absolute last edit) Most recent browsers and email clients have sslv3 disabled by default.

[Thaddy]

Then your server is up to date   

[RobA]

So, having poked around in blksock.pas, it seems that, in TCustomSSL's Create constructor, FSSLType is initially set to LT_all.

Is it safe to leave it at that, or should I offer users the ability to specifically select one of the other LT_ options? Maybe via a check box along the lines of "Server requires SSL / TLS" and a drop down list with the default selection being, say Automatic (i.e. LT_all)?

A similar question applies to the AutoTLS option in pop3send.pas. If the users doesn't check the "Server requires SSL / TLS" check box, is it safe to silently use the AutoTLS option, or is it better to let the user choose via another checkbox?

I'm torn between keeping things simple, and making sure the software will work with as many server implementations as possible, so any suggestions would be much appreciated!

Rob.

[Thaddy]

You can safely let your client accept all, because a properly configured server will only allow fall backs to protocols that are deemed safe if the requested protocol is not available. And you have already shown your specific server is properly configured by not allowing sslv3. If you want to limit at the client side, do it like: ask TLS1.2 then TLS 1.1 then SSLv2 and skip anything else. Do not accept TLS1.0 or SSLv3 in any case.

The threat with these is such that if a server still offers them, you must regard it as done on purpose! or done by nitwits. Both are of course equally dangerous.

[edit]
I forgot to mention that if you use synapse and a recent version of openssl the proper fall backs will be done automatically through openssl and sslv3/tls1.0 is ignored. So basically, write your code to accept all is safe anyway, provided the client's openssl version is recent. Make sure to always check back what the current status regarding security is, though, is good practise.

[RobA]

Thaddy, thanks for your help on that - much appreciated!

The program is something that I have need of myself, but I thought I might release it as freeware (if I ever get it working properly!) hence I was concerned about it working with minimal fuss with as many configurations as possible.

Good point about updated openssl. I've been using the latest (as of a couple of days ago) snapshot of Synapse with the dll binaries from here:
http://synapse.ararat.cz/files/crypt/

But I see the dlls are v 0.9.8.4 and the latest version is 1.0.2d. I'll grab the latest binaries from a mirror and give them a try later.

Rob.