unsupported protocol (OpenSSL::SSL::SSLError) error when sending mail with ActionMailer in Ubuntu 20.04

0
votes

I've just installed a Ubuntu 20.04 server and I've installed redmine, but mail sending with ssl enabled does not work.

So I've started some tests for sending an email with ruby.

I've seen a way to send a mail in this post, so I've tried to do the same thing with a script and related mailer/daily_email.text.erb:

ActionMailer::Base.raise_delivery_errors = true
ActionMailer::Base.logger = Logger.new (STDOUT)
ActionMailer::Base.logger.level = Logger::DEBUG
ActionMailer::Base.delivery_method = :smtp
ActionMailer::Base.smtp_settings = {
  :address   => "smtps.aruba.it",
  :port      => 465,
  :domain    => "mydomain.it",
  :authentication => :login,
  :user_name      => "[email protected]",
  :password       => "mypassword",
  :enable_starttls_auto => true,
  :ssl => true
}

ActionMailer::Base.view_paths= File.dirname(__FILE__)

class Mailer < ActionMailer::Base

  def daily_email
    @var = "var"

    mail(   :to      => "[email protected]",
            :from    => "[email protected]",
            :subject => "testing mail") do |format|
              format.text
              format.html
    end
  end
end

email = Mailer.daily_email
puts email
email.deliver

This is a text email

and this is a variable <%= @var %>

This is the output of the script

rmadmin@redmineserver:~/scripts$ ruby test_mail.rb
D, [2020-06-26T08:59:34.798706 #1340] DEBUG -- : Mailer#daily_email: processed outbound mail in 1396.4ms
Date: Fri, 26 Jun 2020 08:59:34 +0000
From: [email protected]
To: [email protected]
Message-ID: <[email protected]>
Subject: testing mail
Mime-Version: 1.0
Content-Type: text/plain;
 charset=UTF-8
Content-Transfer-Encoding: 7bit

This is a text email

and this is a variable var
I, [2020-06-26T08:59:39.961850 #1340]  INFO -- : Delivered mail [email protected] (5152.0ms)
D, [2020-06-26T08:59:39.962362 #1340] DEBUG -- : Date: Fri, 26 Jun 2020 08:59:34 +0000
From: [email protected]
To: [email protected]
Message-ID: <[email protected]>
Subject: testing mail
Mime-Version: 1.0
Content-Type: text/plain;
 charset=UTF-8
Content-Transfer-Encoding: 7bit

This is a text email

and this is a variable var

Traceback (most recent call last):
        16: from test_mail.rb:36:in `<main>'
        15: from /usr/lib/ruby/2.7.0/delegate.rb:83:in `method_missing'
        14: from /var/lib/gems/2.7.0/gems/mail-2.7.1/lib/mail/message.rb:260:in `deliver'
        13: from /var/lib/gems/2.7.0/gems/actionmailer-6.0.3.2/lib/action_mailer/base.rb:587:in `deliver_mail'
        12: from /var/lib/gems/2.7.0/gems/activesupport-6.0.3.2/lib/active_support/notifications.rb:180:in `instrument'
        11: from /var/lib/gems/2.7.0/gems/activesupport-6.0.3.2/lib/active_support/notifications/instrumenter.rb:24:in `instrument'
        10: from /var/lib/gems/2.7.0/gems/activesupport-6.0.3.2/lib/active_support/notifications.rb:180:in `block in instrument'
         9: from /var/lib/gems/2.7.0/gems/actionmailer-6.0.3.2/lib/action_mailer/base.rb:589:in `block in deliver_mail'
         8: from /var/lib/gems/2.7.0/gems/mail-2.7.1/lib/mail/message.rb:260:in `block in deliver'
         7: from /var/lib/gems/2.7.0/gems/mail-2.7.1/lib/mail/message.rb:2159:in `do_delivery'
         6: from /var/lib/gems/2.7.0/gems/mail-2.7.1/lib/mail/network/delivery_methods/smtp.rb:100:in `deliver!'
         5: from /var/lib/gems/2.7.0/gems/mail-2.7.1/lib/mail/network/delivery_methods/smtp.rb:109:in `start_smtp_session'
         4: from /usr/lib/ruby/2.7.0/net/smtp.rb:518:in `start'
         3: from /usr/lib/ruby/2.7.0/net/smtp.rb:552:in `do_start'
         2: from /usr/lib/ruby/2.7.0/net/smtp.rb:584:in `tlsconnect'
         1: from /usr/lib/ruby/2.7.0/net/protocol.rb:44:in `ssl_socket_connect'
/usr/lib/ruby/2.7.0/net/protocol.rb:44:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: unsupported protocol (OpenSSL::SSL::SSLError)

I've tried the smtp parameters in a email client and they works.

I'm migrating from a redmine installation from an old Ubuntu 16.04 server, where mail sending works.

I've tried many variations of the configuration without success. I'm starting to think that there's a difference in the openssl version used by Ubuntu 20.04 and Ubuntu 16.04, but I'm not able to check where this information is and if I can tell ActionMailer to use a different version of ssl.

Some answers, like this one are not applicable because too old.

This is the output of openssl version -a

OpenSSL 1.1.1f  31 Mar 2020
built on: Mon Apr 20 11:53:50 2020 UTC
platform: debian-amd64
options:  bn(64,64) rc4(16x,int) des(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-P_ODHM/openssl-1.1.1f=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
OPENSSLDIR: "/usr/lib/ssl"
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"
Seeding source: os-specific

I've also tried to modify the openssl configuration, without results.

What should I do in order to fix this ssl problem on ruby on Ubuntu 20.04?

1
rubyemailopensslactionmailerubuntu-20.04

1 Answers

2
votes

To quote the NEWS.Debian entry of the libssl1.1 package which ships most of the openssl core in Ubuntu 20.04. You can find it at /usr/share/doc/libssl1.1/NEWS.Debian on your system.

The default security level for TLS connections was increased from level 1 to level 2. This moves from the 80 bit security level to the 112 bit security level and will require 2048 bit or larger RSA and DHE keys, 224 bit or larger ECC keys, SHA-2, TLSv1.2 or DTLSv1.2.

The system wide settings can be changed in /etc/ssl/openssl.cnf. Applications might also have a way to override the defaults.

In the default /etc/ssl/openssl.cnf one can add sections to specify CipherString. The CipherString can be used to set the security level. Information about the security levels can be found in the SSL_CTX_set_security_level(3ssl) manpage. Other information can be found in ciphers(1ssl) and config(5ssl).

Changing back the defaults in /etc/ssl/openssl.cnf to previous system wide defaults can be by adding at the top of the file:

# System default
openssl_conf = default_conf

and adding at the bottom of the file:

[default_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
CipherString = DEFAULT:@SECLEVEL=1

It's recommended that you contact the remote site in case the defaults cause problems.

In your case, this is exactly the problem: your mail provider apparently doesn't support TLS 1.2 (or TLS 1.3) yet on their mailservers which results in connections enforcing this security level (as is the default in Ubuntu 20.04) to fail.

For the short term, you can follow the advice from the NEWS entry if you can accept the less secure configuration. You should however also contact your mail provider and ask them to update their server configuration (and likely also their software) so that they support newer TLS protocols than just the outdated and insecure TLSv1.0.