Jobs that sends email via TLS suddenly stopped working on 1JAN15 - VisualCron - Forum

Community forum

Cron2250
2015-01-02T18:47:01Z
We have two jobs that send a periodical email to our mail server using TLS. Both of these worked fine until 1JAN15, then they suddenly started failing with an error 75777. I've read a few other posts that mention that error and tried everything we can, but it still fails. Extended server debug is shown below for one of the jobs (but it's useless). Looking at the mail server, we see VC connecting, but then VC closes the connection immediately afterward.

1/2/2015 6:38:26 PM Debug Job (106) was added to processlist: Transition Patient Services
1/2/2015 6:38:26 PM Debug Next action: ActionContinue
1/2/2015 6:38:26 PM Debug Next Task is: Send Test Print Job via Email
1/2/2015 6:38:26 PM Debug Calling StartTaskProcess() with Task: Send Test Print Job via Email (0)
1/2/2015 6:38:26 PM Debug Task (106) was added to processlist: Send Test Print Job via Email
1/2/2015 6:38:26 PM Info Task started: Send Test Print Job via Email (106)
1/2/2015 6:38:26 PM Debug Entering wait loop. Send Test Print Job via Email (106)
1/2/2015 6:38:26 PM Err Exception in Task: Connection failed (error code is 75777)
1/2/2015 6:38:26 PM Info Task completed: Send Test Print Job via Email (106)
1/2/2015 6:38:26 PM Debug Process status - About to RemoveTaskProcess (106)
1/2/2015 6:38:26 PM Debug Setting previous task in TaskProcessCompleted: Send Test Print Job via Email (251c93a9-2ee7-4cb3-b24b-0b631ca1aa01) in job: Transition Patient Services
1/2/2015 6:38:26 PM Debug Process status - About to SendTaskProcess (106)
1/2/2015 6:38:26 PM Debug Process status - About to RemoveTaskProcess (106)
1/2/2015 6:38:26 PM Debug Task (106) was removed from processlist: Send Test Print Job via Email
1/2/2015 6:38:26 PM Debug Sleep ended because Task ended.Send Test Print Job via Email (106)
1/2/2015 6:38:26 PM Debug TaskWaitQueue.Dequeued.Send Test Print Job via Email (106)
1/2/2015 6:38:27 PM Debug Job (106) was removed from processlist: Transition Patient Services
1/2/2015 6:38:27 PM Debug Next execution (2) for job 'Transition Patient Services' is: 1/2/2015 7:00:00 PM
1/2/2015 6:38:27 PM Info Job completed: Transition Patient Services

Cron2250
2015-01-02T23:10:26Z
PS - We are able to get it to work (or not) by selecting SSL encryption vs TLS. However, the server supports TLS from other clients with no problem. Could there be some issue with VC that prevents TLS encryption from working properly?
Support
2015-01-05T09:29:14Z
I do not see any other reason that something was changed on Email server side. Otherwise why would it suddenly stop working.
Henrik
Support
http://www.visualcron.com 
Please like  VisualCron on facebook!
Cron2250
2015-01-05T14:13:03Z
OK. But for the sake of argument, let's say that nothing has changed on the email server (we're pretty confident in this, since no one touched the running server between the time it works and the time it failed). But regardless, how can we troubleshoot this? I've tried using an SMTP mail client from the same server that VC is running on, to the same email sever, and it works just fine. The logs (even detailed logs) that VC provides are not helpful.
Support
2015-01-05T14:58:51Z
A lot of email servers are being upgraded because of the SSL bug right now. But what error do you get in the log_serverDATE.txt when trying to a Task (or click test button) on the Connection when you use properties that do not work?

Update: Searched on 75777 and it seems to point to that there no way connect securely on this authentication method. Like there is no secure server listening.
Henrik
Support
http://www.visualcron.com 
Please like  VisualCron on facebook!
Cron2250
2015-01-05T15:01:18Z
The output from the log_server file was included in the initial post. Other than this line, there is nothing else to go on:
1/2/2015 6:38:26 PM Err Exception in Task: Connection failed (error code is 75777)
Support
2015-01-05T15:02:45Z
As mentioned in the update of the post the selected service seems to have been disabled. This is the typical response code for that when initiating the authentication.
Henrik
Support
http://www.visualcron.com 
Please like  VisualCron on facebook!
Cron2250
2015-01-05T15:08:13Z
OK, but a simple SMTP client running on the same server as VC is able to connect to and send to the same email server using both SSL and TLS.
Support
2015-01-05T15:10:12Z
Normally different ports are used for SSL and TLS. So, maybe port is different.

Or, the other client tries to fallback to the other when failing why VisualCron is more "strict" to the settings.
Henrik
Support
http://www.visualcron.com 
Please like  VisualCron on facebook!
Cron2250
2015-01-05T15:11:28Z
Note that the specific difference of whether it works or fails from VC is which encryption method I choose in the Connection: SSL works and TLS fails. However, we know that the email server can support both of these methods, and the SMTP test client works both ways (as do other email clients connecting to the same email server). So it's likely that VC "doesn't like something" about the TLS connection, but there is no way to "externally" troubleshoot this, which is why I'm looking for some additional detail from VC as to what it doesn't like.
Cron2250
2015-01-05T15:15:31Z
Hmmm. I don't think so. The port is explicitly set to 587, which the server uses to require an encrypted connection and authentication. The client (or VC) does't know about any other port number.
Support
2015-01-05T15:19:54Z
I am guessing. But another thing, by judging on the date it could be a certificate that has expired on server side.

If this is a problem in VC we will get feedback pretty fast as all of our users are using Email Tasks or Notifications in some form. Right now, especially as you have workaround, it is to time consuming for us to start testing on against this specific server.
Henrik
Support
http://www.visualcron.com 
Please like  VisualCron on facebook!
Cron2250
2015-01-05T15:30:52Z
Yes, that was our thought, too. But we've checked the certificates and tested the server in every way we know how (including probing it from checktls.com, for example). Everything works (except VC). The workaround we have in place isn't great (we really do need to disable SSL 3.0 for security purposes). What I'm looking for is additional "trace" from VC (just reporting error 75777 doesn't give us anything to go on--VC must "know" more about what is failing during the TLS negotiation). Also, the failure happens instantly, so it's not like it's trying to access a non-responsive server or a port that isn't being listened to, etc., it has to be something that VC's SMTP client is deciding is "wrong". Is no more detail available from VC than what currently appears in the log files (with "detailed logging" enabled)?
Support
2015-01-06T09:20:57Z
Here is a response from one of our developers, as detailed as possible:

"Unexpected Message" error usually happens when the other party sends garbage and not TLS packets. The most common reason is misconfiguration, when you try to connect with non-TLS client to TLS port or vice versa.

You could try to switch between port 465 and 587 when using TLS.
Henrik
Support
http://www.visualcron.com 
Please like  VisualCron on facebook!
A.J.
2015-05-05T16:48:49Z
I am having the same problem. Connection to Exchange server 2013 on port 587 to a receive connector with TLS enabled and basic authentication only after TLS. TLS connectivity works from other clients and I have tested successfully with openSSL to confirm that TLSv1 is working on that port. When I try a test from Visualcron, however, it fails with "Connection test failed. Error: Unhandled error: Connection failed (error code is 75777)"

I am using the following settings:
Port: 587
Code page: Windows-1252
Authentication: (user and password)
Cryptographic protocol: TLS
Security mode: Explicit
Proxy: none

My exchange logs show a connection attempt from the client, bu as soon as the exchange server responds, the client resets the connection:

2015-05-05T15:46:09.141Z,MX1\Client Frontend MX1,08D241B9527E25D4,0,<Exchange server>:587,<VisualCron>:65027,+,,
2015-05-05T15:46:09.141Z,MX1\Client Frontend MX1,08D241B9527E25D4,1,<Exchange server>:587,<VisualCron>:65027,*,None,Set Session Permissions
2015-05-05T15:46:09.141Z,MX1\Client Frontend MX1,08D241B9527E25D4,2,<Exchange server>:587,<VisualCron>:65027,>,"220 xxxx.com Microsoft ESMTP MAIL Service ready at Tue, 5 May 2015 08:46:08 -0700",
2015-05-05T15:46:12.068Z,MX1\Client Frontend MX1,08D241B9527E25D4,3,<Exchange server>:587,<VisualCron>:65027,-,,Remote(ConnectionReset)


If I switch to the SSL cipher, the connection succeeds using SSLv3, but I can find no way to successfully send using the TLS cipher.

As I mentioned, I have confirmed that TLSv1 is enabled and functional on this connector:

C:\Windows\System32>openssl s_client -connect XXXX.com:587 -starttls smtp
Loading 'screen' into random state - done
CONNECTED(00000194)
depth=2 C = US, XXXX
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
XXXXXX
---
Server certificate
-----BEGIN CERTIFICATE-----
XXXX
-----END CERTIFICATE-----
subject=XXXX
issuer=XXXX

---
No client certificate CA names sent
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 5186 bytes and written 563 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: XXXX
    Session-ID-ctx:
    Master-Key: XXXX
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1430844175
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
250 CHUNKING
EHLO test
250-XXXX.com Hello [XXX.XXX.XXX.XXX]
250-SIZE 10485760
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH LOGIN
250-8BITMIME
250-BINARYMIME
250 CHUNKING
Support
2015-05-06T14:23:22Z
This should have been resolved in later version.
Henrik
Support
http://www.visualcron.com 
Please like  VisualCron on facebook!
A.J.
2015-05-06T14:54:35Z
Thanks for the update. I'm running version 7.5.1, but I'm unable to upgrade at this time. Can anyone else confirm if the issue is truly resolved in the newer version? The only thing I see in the Changelog  that appears related is a new feature in 7.6.2, but it looks like it just gives the ability to specify supported cipher versions. I don't see any reference to a bugfix for this TLS issue:
Quote:

[FEATURE] Client/Server: SMTP Task->Added support for setting supported SSL/TLS versions

Support
2015-05-06T15:08:53Z
Originally Posted by: A.J. 

Thanks for the update. I'm running version 7.5.1, but I'm unable to upgrade at this time. Can anyone else confirm if the issue is truly resolved in the newer version? The only thing I see in the Changelog  that appears related is a new feature in 7.6.2, but it looks like it just gives the ability to specify supported cipher versions. I don't see any reference to a bugfix for this TLS issue:

Quote:

[FEATURE] Client/Server: SMTP Task->Added support for setting supported SSL/TLS versions



I suggest installing latest version on your desktop or other server. You have full functionality for 45 days so you should be able to test.
Henrik
Support
http://www.visualcron.com 
Please like  VisualCron on facebook!
Scroll to Top