Loomio

Maling Issue: SSL wrong version number

CB
Charles B. Public Seen by 205

I'm new to a lots of tools here (docker, loomio, etc.) and while I nearly manage to run my loomio on my server I failed to correctly send mail with loomio.

I have installed loomio following the official documentation available here : https://github.com/loomio/loomio-deploy/
I have it set up on a server which was not running anything (yet).
I set it up to be run on a subdomain that I own (loomio.mydomain.org)
* I had a first headeack because the .env file is never read when I run the docker-compose up -d command (I manually had them to my environment).

But the issue is the following : I setup a sparkpost account and am able to send mail (tested through swaks) from the server.

But the loomio mailer always failed with this error:
> loomio-worker | Sent mail to my.email@indie.host (367.2ms)
loomio-worker | [Worker(host:ed4ede424a84 pid:7)] Job UserMailer.login (id=73) FAILED (0 prior attempts) with OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: wrong version number
loomio-worker | 2019-10-07T15:00:12+0000: [Worker(host:ed4ede424a84 pid:7)] Job UserMailer.login (id=73) FAILED (0 prior attempts) with OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: wrong version number

I read some mail And tryed some openssl commandes:
From my server:
openssl s_client -connect smtp.sparkpostmail.com:587
> CONNECTED(00000003)
> 140665815314496:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:252:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 5 bytes and written 176 bytes
Verification: OK
> ---
> New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1570460833
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
> ---

From the container:
docker exec -ti loomio-worker openssl s_client -connect smtp.sparkpostmail.com:587
> CONNECTED(00000003)
> 139668762641536:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 5 bytes and written 314 bytes
Verification: OK
> ---
> New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

My server have both IPV4 and IPV6 addresses but I don't know if that helps.

I'm sorry I'm kinda lost here.

RG

Rob Guthrie Mon 7 Oct 2019

Hi @Charles B. can you post your loomio SMTP config?

CB

Charles B. Tue 8 Oct 2019

Hello Rob, sure my SMPT config are the following:
SMTP_AUTH=login
SMTP_DOMAIN=MyDomain.org
SMTP_SERVER=smtp.sparkpostmail.com
SMTP_PORT=587
SMTP_USERNAME=MySmtpUserName
SMTP_PASSWORD=MySmtpPassword
SMTP_USE_SSL=1
REPLY_HOSTNAME=MyDomain.org

knowing that currently the loomio instance is served on subdomain.MyDomain.org (I don't know if that does a difference)

RG

Rob Guthrie Wed 9 Oct 2019

Hi @Charles B. I came across this page:

https://batsov.com/articles/2012/12/06/dealing-with-ssl-certificate-validation-errors-in-rails/

The Loomio SMTP config lives in config/application.rb and it does not have the

:enable_starttls_auto

option. I wonder if that would help.

Actually further reading from https://guides.rubyonrails.org/action_mailer_basics.html indicates to me that it's not what the problem is.

To be clear, Loomio does not really contain any SMTP code, this is working directly with Rails, so it's likely to be a solvable issue.

Sorry - SMTP is always so tricky to work out!

CB

Charles B. Mon 14 Oct 2019

Thanks for your investigation, I had a similar conclusion:
enable_starttls_auto being true by default it shouldn't be my issue.
However I'm kinda stuck here:
I have no idea where I should search for fixing that issue nor what is the exact command used by loomio to send mail.
Since I have a no knowledge about docker nor about rails, what would you recommand me to look for answers to my issue ?

CB

Charles B. Tue 22 Oct 2019

I finally have drop the installation :(

RG

Rob Guthrie Tue 22 Oct 2019

I'm really sorry Charles. I hope we will make this better some day, I'm just unable to work on it right now.

Thanks for trying, and for reporting the problems you found.

CB

Charles B. Tue 22 Oct 2019

Hey Rob, no issue here.
I perfectly understand that :)
Just saying I going to stop trying for now and maybe I will try to resume later.

For now my believe is that it may be related to the starttls option, but am unable to test with it as my understanding of docker and ruby on rails is too shallow.

Keep up the good work out there Rob :)

PC

Pablo Costa Mon 8 Mar

I think this comment might have a hint about what's going on.

Running the stable container as of today (2 days old) — I'm looking at line 114 in config/application.rb and there is indeed a way to set the "verify mode" from an environment variable, but it defaults to 'none'.
ruby
config.action_mailer.smtp_settings = {
address: ENV['SMTP_SERVER'],
port: ENV['SMTP_PORT'],
authentication: ENV['SMTP_AUTH'],
user_name: ENV['SMTP_USERNAME'],
password: ENV['SMTP_PASSWORD'],
domain: ENV['SMTP_DOMAIN'],
ssl: ENV['SMTP_USE_SSL'],
openssl_verify_mode: ENV.fetch('SMTP_SSL_VERIFY_MODE', 'none')
}.compact

I guess the "proper" way to configure SMTP would involve providing the ca_file or ca_path, or actually disabling the check.

Trying to reach the lower hanging fruit, I comment out the SMTP_USE_SSL variable in the env file, but I think Loomio is still attempting to use STARTTLS.

I would like to try setting enable_starttls_auto: false in the smtp_settings above but I don't know how to "restart" the application without killing the container :P

@robertguthrie do you think these parameters would be worthy of having its own variables in the env file? I'm afraid I don't have the base knowledge to change the source code and build a custom loomio container.

RG

Rob Guthrie Tue 9 Mar

I think the problem is you're not restarting properly, you need to destroy the container to have new environment variables take place.

All Loomio config and data lives outside the containers so you can do docker-compose down and up safely.