SslHandshakeException:尝试建立 SSL 或 TLS 连接时发生错误
[英]SslHandshakeException: An error occurred while attempting to establish an SSL or TLS connection
问题描述
I'm trying to access gmail emails using imap and the code is failing at the ssl handshake without showing me any errors.
我正在尝试使用 imap 访问 gmail 电子邮件,并且代码在 ssl 握手时失败,而没有显示任何错误。 Really appreciate if anyone could please help with this.如果有人能帮忙解决这个问题,我真的很感激。 I've built this using xunit, .NET Core 2.1.我使用 xunit、.NET Core 2.1 构建了它。 I'm using MailKit Nuget我正在使用 MailKit Nuget
public GMailHandler(string mailServer, int port, bool ssl, string login, string password)
//mailServer = imap.gmail.com
//port = 993
//ssl = true
{
if (ssl)
Client.Connect(mailServer, port);
else
Client.Connect(mailServer, port);
Client.Authenticate(login, password);
Client.Inbox.Open(FolderAccess.ReadOnly);
}
4 个解决方案
解决方案1
21 2019-11-25 20:50:19
Here's a copy & paste from the MailKit FAQ :这是MailKit 常见问题解答中的复制和粘贴:
Q: Why do I get "MailKit.Security.SslHandshakeException: An error occurred while attempting to establish an SSL or TLS connection."问:为什么我会收到"MailKit.Security.SslHandshakeException: An error occurred while attempting to establish an SSL or TLS connection." when I try to Connect?当我尝试连接?
When you get an exception with that error message, it usually means that you are encountering one of the following scenarios:当您收到带有该错误消息的异常时,通常意味着您遇到以下情况之一:
1. The mail server does not support SSL on the specified port. 1. 邮件服务器在指定端口上不支持 SSL。
There are 2 different ways to use SSL/TLS encryption with mail servers.有 2 种不同的方法可以对邮件服务器使用 SSL/TLS 加密。
The first way is to enable SSL/TLS encryption immediately upon connecting to the SMTP, POP3 or IMAP server.第一种方法是在连接到 SMTP、POP3 或 IMAP 服务器后立即启用 SSL/TLS 加密。 This method requires an "SSL port" because the standard port defined for the protocol is meant for plain-text communication.此方法需要“SSL 端口”,因为为协议定义的标准端口用于纯文本通信。
The second way is via a STARTTLS command (aka STLS for POP3) that is optionally supported by the server.第二种方法是通过服务器可选支持的STARTTLS命令(又名 POP3 的STLS )。
Below is a table of the protocols supported by MailKit and the standard plain-text ports (which either do not support any SSL/TLS encryption at all or only via the STARTTLS command extension) and the SSL ports which require SSL/TLS encryption immediately upon a successful connection to the remote host.下面是 MailKit 支持的协议和标准纯文本端口(根本不支持任何 SSL/TLS 加密或仅通过STARTTLS命令扩展)和需要 SSL/TLS 加密的 SSL 端口的表格成功连接到远程主机。
|Protocol|Standard Port|SSL Port|
|:------:|:-----------:|:------:|
| SMTP | 25 or 587 | 465 |
| POP3 | 110 | 995 |
| IMAP | 143 | 993 |
It is important to use the correct SecureSocketOptions for the port that you are connecting to.为您要连接的端口使用正确的SecureSocketOptions很重要。
If you are connecting to one of the standard ports above, you will need to use SecureSocketOptions.None , SecureSocketOptions.StartTls or SecureSocketOptions.StartTlsWhenAvailable .如果您要连接到上述标准端口之一,则需要使用SecureSocketOptions.None 、 SecureSocketOptions.StartTls或SecureSocketOptions.StartTlsWhenAvailable 。
If you are connecting to one of the SSL ports, you will need to use SecureSocketOptions.SslOnConnect .如果要连接到 SSL 端口之一,则需要使用SecureSocketOptions.SslOnConnect 。
You could also try using SecureSocketOptions.Auto which works by choosing the appropriate option to use by comparing the specified port to the ports in the above table.您也可以尝试使用SecureSocketOptions.Auto ,它可以通过选择适当的选项来通过将指定端口与上表中的端口进行比较来使用。
2. The mail server that you are connecting to is using an expired (or otherwise untrusted) SSL certificate. 2. 您要连接的邮件服务器正在使用过期(或不可信)的 SSL 证书。
Often times, mail servers will use self-signed certificates instead of using a certificate that has been signed by a trusted Certificate Authority.通常,邮件服务器将使用自签名证书,而不是使用已由受信任的证书颁发机构签名的证书。 Another potential pitfall is when locally installed anti-virus software replaces the certificate in order to scan web traffic for viruses.另一个潜在的陷阱是当本地安装的防病毒软件替换证书以扫描网络流量以查找病毒时。
When your system is unable to validate the mail server's certificate because it is not signed by a known and trusted Certificate Authority, the above error will occur.如果您的系统无法验证邮件服务器的证书,因为它没有由已知且受信任的证书颁发机构签名,则会发生上述错误。
You can work around this problem by supplying a custom RemoteCertificateValidationCallback and setting it on the client's ServerCertificateValidationCallback property.您可以通过提供自定义RemoteCertificateValidationCallback并将其设置在客户端的ServerCertificateValidationCallback属性上来解决此问题。
In the simplest example, you could do something like this (although I would strongly recommend against it in production use):在最简单的示例中,您可以执行以下操作(尽管我强烈建议在生产使用中反对它):
using (var client = new SmtpClient ()) {
client.ServerCertificateValidationCallback = (s,c,h,e) => true;
client.Connect (hostName, port, SecureSocketOptions.Auto);
// ...
}
Most likely you'll want to instead compare the certificate's Thumbprint property to a known value that you have verified at a prior date.您很可能希望将证书的指纹属性与您在之前验证的已知值进行比较。
You could also use this callback to prompt the user (much like you have probably seen web browsers do) as to whether or not the certificate should be trusted.您还可以使用此回调来提示用户(就像您可能已经看到 Web 浏览器所做的那样)关于证书是否应该被信任。
3. A Certificate Authority CRL server for one or more of the certificates in the chain is temporarily unavailable. 3. 链中一个或多个证书的证书颁发机构 CRL 服务器暂时不可用。
Most Certificate Authorities are probably pretty good at keeping their CRL and/or OCSP servers up 24/7, but occasionally they do go down or are otherwise unreachable due to other network problems between you and the server.大多数证书颁发机构可能非常擅长保持其 CRL 和/或 OCSP 服务器 24/7 运行,但有时它们会因您和服务器之间的其他网络问题而出现故障或无法访问。 When this happens, it becomes impossible to check the revocation status of one or more of the certificates in the chain.发生这种情况时,就无法检查链中一个或多个证书的吊销状态。
To ignore revocation checks, you can set the CheckCertificateRevocation property of the IMAP, POP3 or SMTP client to false before you connect:要忽略吊销检查,您可以在连接之前将 IMAP、POP3 或 SMTP 客户端的CheckCertificateRevocation属性设置为false :
using (var client = new SmtpClient ()) {
client.CheckCertificateRevocation = false;
client.Connect (hostName, port, SecureSocketOptions.Auto);
// ...
}
4. The server does not support the same set of SSL/TLS protocols that the client is configured to use. 4. 服务器不支持客户端配置使用的同一组 SSL/TLS 协议。
MailKit attempts to keep up with the latest security recommendations and so is continuously removing older SSL and TLS protocols that are no longer considered secure from the default configuration. MailKit 试图跟上最新的安全建议,因此不断从默认配置中删除不再被视为安全的旧 SSL 和 TLS 协议。 This often means that MailKit's SMTP, POP3 and IMAP clients will fail to connect to servers that are still using older SSL and TLS protocols.这通常意味着 MailKit 的 SMTP、POP3 和 IMAP 客户端将无法连接到仍在使用旧 SSL 和 TLS 协议的服务器。 Currently, the SSL and TLS protocols that are not supported by default are: SSL v2.0, SSL v3.0, and TLS v1.0.目前,默认不支持的 SSL 和 TLS 协议有:SSL v2.0、SSL v3.0 和 TLS v1.0。
You can override MailKit's default set of supported SSL and TLS protocols by setting the value of the SslProtocols property on your SMTP, POP3 or IMAP client.您可以通过在 SMTP、POP3 或 IMAP 客户端上设置SslProtocols属性的值来覆盖 MailKit 支持的默认SSL 和 TLS 协议集。
For example:例如:
using (var client = new SmtpClient ()) {
// Allow SSLv3.0 and all versions of TLS
client.SslProtocols = SslProtocols.Ssl3 | SslProtocols.Tls | SslProtocols.Tls11 | SslProtocols.Tls12 | SslProtocols.Tls13;
client.Connect ("smtp.gmail.com", 465, true);
// ...
}
解决方案2
1 2020-11-23 19:15:39
await client.ConnectAsync(_emailConfig.SmtpServer, _emailConfig.Port, false);
只需在客户端配置中将“useSsl”选项设置为 false
解决方案3
0 2022-06-01 08:47:15
I solved a similar problem by going through the protocols.我通过协议解决了类似的问题。 As a result, I found out that the MS Exchange server uses Tls 1.0 for backward compatibility.结果,我发现MS Exchange服务器使用 Tls 1.0 来实现向后兼容性。 I explicitly set the protocol and the connection passed.我明确设置了协议并通过了连接。
var client = new ImapClient();
client.SslProtocols = System.Security.Authentication.SslProtocols.Tls;
client.Connect("servername", 993, SecureSocketOptions.SslOnConnect);
解决方案4
-1 2021-03-29 07:32:08
Disbaled Avast antivorus software .禁用 Avast antivorus 软件。 This works for me这对我有用
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.