SMTP validation raises SSLError with message DH_KEY_TOO_SMALL #79
Labels
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: karolyi/py3-validate-email#79
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Describe the bug
SMTP validation raises
SSLError
with following message:ssl.SSLError: [SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:1129)
To Reproduce
I cannot publicly share the email address that triggers this error. I can send it privately, if it is needed.
My debug output
Output from the debug run described in the FAQ:
I had to remove SMTP server name and IP, as I cannot publicly disclose them. However, I can send them privately.
Expected behavior
I think that the error should either be ignored, as it is done here:
https://github.com/karolyi/py3-validate-email/blob/master/validate_email/smtp_check.py#L84
Or handled, in order to produce an ambiguous result.
Please complete the following information:
py3-validate-email
module version: 1.0.1Additional context
The Docker container can correctly validate other email addresses, the error is raised by a specific SMTP server.
Hey,
this seems odd.
Can you please share the email address privately so I can test with it? Just shoot an email to laszlo -at- karolyi -dot- hu with it.
Thanks.
So, after having gotten your email, I went over to my server and issued a test. For me, starttls worked out right for the same host (smtp1p1) you specified.
I think the error must be on your end since I can't reproduce it. Can you tell me which openssl version is installed within that docker container? Just a hunch, but that might be the culprit.
Hello @karolyi,
Thank you.
openssl version
command says:OpenSSL 1.1.1k 25 Mar 2021
It seems that recent Debian releases have tightened SSL security:
https://askubuntu.com/a/1263098
I tried to apply these instructions to a test container and the validation for that email address started working:
https://askubuntu.com/a/1296578
What do you think about this? Should user code, not library code, handle
SSLError
, because it is something related to the environment configuration?RFC 3207 states that,
I'd like to follow this behavior which means we return
None
invalidate_email()
and raiseSMTPTemporaryError
invalidate_email_or_fail()
.Maybe adding an
smtp_require_tls=False
and an optionally passableSSLContext
option is feasible here, to be able to not use STARTTLS when this exception is raised.smtp_require_tls
would beTrue
per default, resulting in the client deciding on an ambiguous response when the handshake fails.@reinhard-mueller, do you have an opinion on this? Anything to add?
Even better, to signify that there was an actual failure of the TLS handshake, I'd introduce a new exception which can be catched, should the user decide that way.
Maybe it would make sense to try to continue without TLS, like we already do for other kinds of SSL problems? Are there SMTP servers out there which refuse to communicate without TLS?
Problem is, once you wrapped the connection in an SSL wrapper, you can't get it back. The same happens with other clients, they simply disconnect after the TLS negotiation has failed. Even if you can recover from
SSLError
atcontext.wrap_socket()
, I think the server will either already assume you talk the TLS protocol, or just simply close the connection over the negotiation failure.To be honest I'm against reconnecting immediately, none of other cliens do that either (other than ones that are written badly and want to spam). If they do, fail2ban is easily able to catch them, for example.
Normally a client should retry in about 5 minutes, but I'm not sure if they should remember that they have failed earlier so next time they would not use TLS negotiation.
Hence my opinion of failing silently and giving an ambiguous response.
Still, I'm open to suggestions.
Thank you, @karolyi, for the detailed explanation. I understand your point of view and what you suggested doing.
The dedicated error with the ambiguous response seems to be the best solution.
Let me know if a PR with this change would be appreciated.
Goodbye,
Alessio
@karolyi I see your point about not being able to go back into non-SSL. Given that, I agree with issuing an ambigous response, and I also agree that a new exception class (derived from SMTPError) is the optimal solution.
PRs are welcome but I can prepare something in a couple days too.
@karolyi, thank you. If, for whatever reason, you cannot work on this, I will be able to work on a PR during the weekend.
This should be fixed now in
1.0.2
although travis shits itself for some reason (probably there is some API glitch between them and github), and I can't get the green build logo displayed. Will work on that part, but the SSL error should be fixed now, with additional changes. For those, see changelog.txt.Thank you, @karolyi. Tomorrow I will test the new version.
Goodbye,
Alessio