Pages: 1 2 3 4 5 Next
RSS
TLS Handshake Failure - appreciate any help on how to fix
 
First up, I know enough about The Bat to send & receive e-mail, and not much beyond that. I know there's SO much it can do, so I apologize for my ignorance about the program. I switched to The Bat after running Eudora into the ground and The Bat was the best e-mail app I found to replace it.

I had been using 8.89 for a while, even after the 9.x upgrade came out. But all of a sudden, starting today, I cannot send e-mail. I have The Bat configured to use my gmail accounts, and had no problems prior to today.

The error it says on the status bar is:
TLS handshake failure. Invalid server certificate (The certificate cannon be used for this purpose).

The log says:
4/6/2020, 17:09:38: SEND  - Connecting to SMTP server smtp.gmail.com on port 465
4/6/2020, 17:09:38: SEND  - Initiating TLS handshake
>4/6/2020, 17:09:38: SEND  - Certificate S/N: CF9E6428113388FF080000000035ED43, algorithm: ECC (256 bits), issued from 3/24/2020 6:48:05 AM to 6/16/2020 6:48:05 AM, for 1 host(s): smtp.gmail.com.
>4/6/2020, 17:09:38: SEND  - Owner: "US", "California", "Mountain View", "Google LLC", "smtp.gmail.com".
>4/6/2020, 17:09:38: SEND  - Issuer: "US", "Google Trust Services", "GTS CA 1O1". Valid from 6/15/2017 12:00:42 AM to 12/15/2021 12:00:42 AM.
>4/6/2020, 17:09:38: SEND  - Root: "GlobalSign Root CA - R2", "GlobalSign", "GlobalSign". Valid from 12/15/2006 8:00:00 AM to 12/15/2021 8:00:00 AM.
!4/6/2020, 17:09:38: SEND  - TLS handshake failure. Invalid server certificate (The certificate cannot be used for this purpose).

Under the S/MIME and TLS Certificates option, it's set to use Internal Implementation,
and whatever defaults pop up there. I've never altered or configured any of that.

For my STMP settings to Send Mail, it's set to
smtp.gmail.com
the Connection is Secure to dedicated port (TLS)
on Port 465

Authentication is set to Perform SMTP Authentication (RFC 2554)
and to use the same user/password as for Mail Retrieval

I went ahead and upgraded to 9.1.6 hoping that would fix it, hoping maybe some old setting was outdated, but the problem is exactly the same.
When upgrading, I used Windows RegEdit to export the prior The Bat settings so I wouldn't have to redo all my settings for my accounts, and the editor, etc. I say that just in case I pulled over something funky from the old version that's outdated (again, showing how little I know about the Registry).

I'm at a complete loss on what to do. Certificates and encryption are well beyond me. I appreciate any and all advice, and thank you for your time!
:-)
 
I don't think that it will make a difference, but according to several sites, the port to use on smtp.gmail.com with TLS is 587.
You could give that a try, but if that doesn't work, I'd recommend that you click Support in the menu above and contact Ritlabs' technical support to see what they say.
I volunteer as a moderator to help keep the forum tidy. I do not work for Ritlabs SRL.
 
I gave that a shot but same error. I'll try a support request. And if anyone else has any ideas, I'm all ears!
And thank you for the reply, Daniel.
:-)
 
I've been having the same problem.

Something I've noticed:

>***: FETCH - Certificate S/N: ***, algorithm: ECC (256 bits), issued from 3/24/2020 6:48:03 AM to 6/16/2020 6:48:03 AM, for 1 host(s): pop.gmail.com.
!*** : FETCH - TLS handshake failure. Invalid server certificate (The certificate cannot be used for this purpose).


>***: FETCH - Certificate S/N: ***, algorithm: RSA (2048 bits), issued from 3/3/2020 9:44:10 AM to 5/26/2020 9:44:10 AM, for 1 host(s): pop.gmail.com
***: FETCH - TLS handshake complete

When it says: algorithm: ECC (256 bits)
It fails.

When it says: algorithm: RSA (2048 bits)
It succeeds.

I have no idea why it sometimes uses one and sometimes the other.
It seems to do so on its own.

Anyone know a way to force it to use algorithm: RSA (2048 bits) ?

Note: If you go to Options -> S/MIME and TLS... and switch between "Internal ..." and "Microsoft ..." at the top that might help your mail to get through temporarily. I don't know if any options here will help to fix the problem long  term.
Edited: cyb0rg - 07 April 2020 11:19:23
 
Having same problem here with sending:
Quote
07.04.2020, 13:21:43: SEND  - Connecting to SMTP server smtp.gmail.com on port 587
07.04.2020, 13:21:44: SEND  - Initiating TLS handshake
>07.04.2020, 13:21:44: SEND  - Certificate S/N: 09AAC9BCF90EB5760800000000320BE8, algorithm: ECC (256 bits), issued from 3/3/2020 9:58:16 AM to 5/26/2020 9:58:16 AM, for 1 host(s): smtp.gmail.com.
>07.04.2020, 13:21:44: SEND  - Owner: "US", "California", "Mountain View", "Google LLC", "smtp.gmail.com".
>07.04.2020, 13:21:44: SEND  - Issuer: "US", "Google Trust Services", "GTS CA 1O1". Valid from 6/15/2017 12:00:42 AM to 12/15/2021 12:00:42 AM.
>07.04.2020, 13:21:44: SEND  - Issuer: "GlobalSign Root CA - R2", "GlobalSign", "GlobalSign". Valid from 12/15/2006 8:00:00 AM to 1/28/2028 12:00:00 PM.
>07.04.2020, 13:21:44: SEND  - Root: "BE", "GlobalSign nv-sa", "Root CA", "GlobalSign Root CA". Valid from 9/1/1998 12:00:00 PM to 1/28/2028 12:00:00 PM.
!07.04.2020, 13:21:44: SEND  - TLS handshake failure. Invalid server certificate (The certificate cannot be used for this purpose).
!07.04.2020, 13:21:44: SEND  - The server has aborted the connection

It's the only topic I've found about this matter and it seems that problem is quite new and I'm not the only one affected :(

Tried different connections types/ports and switching certificate store in S/MIME options - no result.

P.S. Emails are being sent normally from Android phone (not native gmail app) using same account, etc, so it seems problem is in Bat or how it handles those certificates.
Edited: Сергей Соколов - 07 April 2020 13:43:47
 
I also hit this this morning.  I had checked email a few times this morning in order to pull down all the email and everything worked... then I hit the same error a few minutes later.  I spent a few minutes searching for answers and decided to refill my coffee and when I came back, I was able to check email again. Looks like a temporary glitch in the Matrix. :-)  

2020-04-07, 08:16:52: FETCH - receiving mail messages
2020-04-07, 08:16:52: FETCH - Connecting to POP3 server pop.gmail.com on port 995
2020-04-07, 08:16:52: FETCH - Initiating TLS handshake
>2020-04-07, 08:16:52: FETCH - Certificate S/N: 0E884B385836D5690800000000320BE3, algorithm: ECC (256 bits), issued from 3/3/2020 9:58:11 AM to 5/26/2020 9:58:11 AM, for 1 host(s): pop.gmail.com.
>2020-04-07, 08:16:52: FETCH - Owner: "US", "California", "Mountain View", "Google LLC", "pop.gmail.com".
>2020-04-07, 08:16:52: FETCH - Issuer: "US", "Google Trust Services", "GTS CA 1O1". Valid from 6/15/2017 12:00:42 AM to 12/15/2021 12:00:42 AM.
>2020-04-07, 08:16:52: FETCH - Root: "GlobalSign Root CA - R2", "GlobalSign", "GlobalSign". Valid from 12/15/2006 8:00:00 AM to 12/15/2021 8:00:00 AM.
!2020-04-07, 08:16:52: FETCH - TLS handshake failure. Invalid server certificate (The certificate cannot be used for this purpose).
2020-04-07, 08:16:56: FETCH - receiving mail messages
2020-04-07, 08:16:56: FETCH - Connecting to POP3 server pop.gmail.com on port 995
2020-04-07, 08:16:56: FETCH - Initiating TLS handshake
>2020-04-07, 08:16:56: FETCH - Certificate S/N: 0E884B385836D5690800000000320BE3, algorithm: ECC (256 bits), issued from 3/3/2020 9:58:11 AM to 5/26/2020 9:58:11 AM, for 1 host(s): pop.gmail.com.
>2020-04-07, 08:16:56: FETCH - Owner: "US", "California", "Mountain View", "Google LLC", "pop.gmail.com".
>2020-04-07, 08:16:56: FETCH - Issuer: "US", "Google Trust Services", "GTS CA 1O1". Valid from 6/15/2017 12:00:42 AM to 12/15/2021 12:00:42 AM.
>2020-04-07, 08:16:56: FETCH - Root: "GlobalSign Root CA - R2", "GlobalSign", "GlobalSign". Valid from 12/15/2006 8:00:00 AM to 12/15/2021 8:00:00 AM.
!2020-04-07, 08:16:56: FETCH - TLS handshake failure. Invalid server certificate (The certificate cannot be used for this purpose).
2020-04-07, 08:22:25: FETCH - receiving mail messages
2020-04-07, 08:22:25: FETCH - Connecting to POP3 server pop.gmail.com on port 995
2020-04-07, 08:22:25: FETCH - Initiating TLS handshake
>2020-04-07, 08:22:25: FETCH - Certificate S/N: D80446EA4406BA970800000000320A6A, algorithm: RSA (2048 bits), issued from 3/3/2020 9:44:10 AM to 5/26/2020 9:44:10 AM, for 1 host(s): pop.gmail.com.
>2020-04-07, 08:22:25: FETCH - Owner: "US", "California", "Mountain View", "Google LLC", "pop.gmail.com".
>2020-04-07, 08:22:25: FETCH - Issuer: "US", "Google Trust Services", "GTS CA 1O1". Valid from 6/15/2017 12:00:42 AM to 12/15/2021 12:00:42 AM.
>2020-04-07, 08:22:25: FETCH - Root: "GlobalSign Root CA - R2", "GlobalSign", "GlobalSign". Valid from 12/15/2006 8:00:00 AM to 12/15/2021 8:00:00 AM.
2020-04-07, 08:22:25: FETCH - TLS handshake complete
2020-04-07, 08:22:25: FETCH - connected to POP3 server
2020-04-07, 08:22:26: FETCH - authenticated (plain)
2020-04-07, 08:22:26: FETCH - 27 messages in the mailbox, 21 new
 
Quote
Brent Huffman wrote:
I also hit this this morning.  I had checked email a few times this morning in order to pull down all the email and everything worked... then I hit the same error a few minutes later.  I spent a few minutes searching for answers and decided to refill my coffee and when I came back, I was able to check email again. Looks like a temporary glitch in the Matrix. :-)
Good for you :) Thing is, topic is about problem with smtp/sending :)
 
Still no answer from ritlabs? Same thing happen to me few days ago but it last about hour and then it start working again. But today it stops and it still not working. :(  
 
I am experiencing this problem as well; I can receive email sometimes, but cannot send.
 
I have the same problem while sending:

!07/04/2020, 15:32:01: SEND  - TLS handshake failure. Invalid server certificate (The certificate cannot be used for this purpose).


I was on version 8, so I tried to upgrade to version 9 but the problem is still here!!  :-(
 
 07/04/2020, 15:32:01: SEND  - Connecting to SMTP server imap.gmail.com on port 465
07/04/2020, 15:32:01: SEND  - Initiating TLS handshake
>07/04/2020, 15:32:01: SEND  - Certificate S/N: 30192987AA4DD903080000000035ED3C, algorithm: ECC (256 bits), issued from 3/24/2020 6:47:59 AM to 6/16/2020 6:47:59 AM, for 1 host(s): imap.gmail.com.
>07/04/2020, 15:32:01: SEND  - Owner: "US", "California", "Mountain View", "Google LLC", "imap.gmail.com".
>07/04/2020, 15:32:01: SEND  - Issuer: "US", "Google Trust Services", "GTS CA 1O1". Valid from 6/15/2017 12:00:42 AM to 12/15/2021 12:00:42 AM.
>07/04/2020, 15:32:01: SEND  - Root: "GlobalSign Root CA - R2", "GlobalSign", "GlobalSign". Valid from 12/15/2006 8:00:00 AM to 12/15/2021 8:00:00 AM.
!07/04/2020, 15:32:01: SEND  - TLS handshake failure. Invalid server certificate (The certificate cannot be used for this purpose).
07/04/2020, 15:32:33: IMAP  - Connecting to IMAP server imap.gmail.com on port 993
07/04/2020, 15:32:33: IMAP  - Initiating TLS handshake
>07/04/2020, 15:32:33: IMAP  - Certificate S/N: 30192987AA4DD903080000000035ED3C, algorithm: ECC (256 bits), issued from 3/24/2020 6:47:59 AM to 6/16/2020 6:47:59 AM, for 1 host(s): imap.gmail.com.
>07/04/2020, 15:32:33: IMAP  - Owner: "US", "California", "Mountain View", "Google LLC", "imap.gmail.com".
>07/04/2020, 15:32:33: IMAP  - Issuer: "US", "Google Trust Services", "GTS CA 1O1". Valid from 6/15/2017 12:00:42 AM to 12/15/2021 12:00:42 AM.
>07/04/2020, 15:32:33: IMAP  - Root: "GlobalSign Root CA - R2", "GlobalSign", "GlobalSign". Valid from 12/15/2006 8:00:00 AM to 12/15/2021 8:00:00 AM.
!07/04/2020, 15:32:33: IMAP  - TLS handshake failure. Invalid server certificate (The certificate cannot be used for this purpose).
07/04/2020, 15:33:43: IMAP  - Connecting to IMAP server imap.gmail.com on port 993
07/04/2020, 15:33:43: IMAP  - Initiating TLS handshake
>07/04/2020, 15:33:43: IMAP  - Certificate S/N: 30192987AA4DD903080000000035ED3C, algorithm: ECC (256 bits), issued from 3/24/2020 6:47:59 AM to 6/16/2020 6:47:59 AM, for 1 host(s): imap.gmail.com.
>07/04/2020, 15:33:43: IMAP  - Owner: "US", "California", "Mountain View", "Google LLC", "imap.gmail.com".
>07/04/2020, 15:33:43: IMAP  - Issuer: "US", "Google Trust Services", "GTS CA 1O1". Valid from 6/15/2017 12:00:42 AM to 12/15/2021 12:00:42 AM.
>07/04/2020, 15:33:43: IMAP  - Root: "GlobalSign Root CA - R2", "GlobalSign", "GlobalSign". Valid from 12/15/2006 8:00:00 AM to 12/15/2021 8:00:00 AM.
!07/04/2020, 15:33:43: IMAP  - TLS handshake failure. Invalid server certificate (The certificate cannot be used for this purpose).
07/04/2020, 15:34:43: IMAP  - Connecting to IMAP server imap.gmail.com on port 993
07/04/2020, 15:34:43: IMAP  - Initiating TLS handshake
>07/04/2020, 15:34:43: IMAP  - Certificate S/N: 30192987AA4DD903080000000035ED3C, algorithm: ECC (256 bits), issued from 3/24/2020 6:47:59 AM to 6/16/2020 6:47:59 AM, for 1 host(s): imap.gmail.com.
>07/04/2020, 15:34:43: IMAP  - Owner: "US", "California", "Mountain View", "Google LLC", "imap.gmail.com".
>07/04/2020, 15:34:43: IMAP  - Issuer: "US", "Google Trust Services", "GTS CA 1O1". Valid from 6/15/2017 12:00:42 AM to 12/15/2021 12:00:42 AM.
>07/04/2020, 15:34:43: IMAP  - Root: "GlobalSign Root CA - R2", "GlobalSign", "GlobalSign". Valid from 12/15/2006 8:00:00 AM to 12/15/2021 8:00:00 AM.
!07/04/2020, 15:34:43: IMAP  - TLS handshake failure. Invalid server certificate (The certificate cannot be used for this purpose).
 
If disable antivirus then I can send messages through gmail. It looks like Google start anti-antivirus things.
Модератор. Не являюсь сотрудником RitLabs (I'm not an employee of Ritlabs). https://belrus.biz/vendors/ritlabs.html
 
Same problem is here - TLS Handshake Failure. Can't send the emails for the whole day!!!  :evil:  
 
Quote
George Salnik wrote:
If disable antivirus then I can send messages through gmail. It looks like Google start anti-antivirus things.
Disabling NOD32 and windows defender didn't work :(
 
Quote
Daniel van Rooijen wrote:
Quote
cyb0rg wrote:
When it says: algorithm: RSA (2048 bits)
It succeeds.

I have no idea why it sometimes uses one and sometimes the other.

Does your log also show the IP of the Gmail server that The Bat has connected to? If so, does it always use the RSA certificate on one particular server? If so, maybe you can specify that server by its IP instead of "smtp.gmail.com" in your settings.

No, and good thinking trying to get it to use a particular server that may not have this issue, but smtp.google.com only has one IP address it seems.

>nslookup smtp.gmail.com
Server:  UnKnown
Address:  ***

Non-authoritative answer:
Name:    smtp.gmail.com
Addresses:  2607:f8b0:400d:c07::6c
         74.125.192.108

Also, for me, originally it was only a problem sending e-mail, but now checking e-mail through pop.gmail.com is having the same problem as well.

>nslookup pop.gmail.com
Server:  UnKnown
Address:  ***

Non-authoritative answer:
Name:    pop.gmail.com
Addresses:  2607:f8b0:400d:c0c::6d
         172.217.197.108
         172.217.197.109


Note: In the logs posted in this thread, it seems that the algorithm ECC not working and the algorithm RSA working continues to hold true. It might be a good indication as to what the problem is and how to fix it. Unfortunately, I know very little about the subject.
Edited: cyb0rg - 07 April 2020 18:02:32
 
UPDATE: Never mind. It looks like this didn't prevent the issue from returning.

I may have found a solution, but as the issue comes and goes, it is hard to know.

(Note: Take a screenshot or save your current settings by some other means so you are able to restore them to default.)
(Note: It looks like you can also restore these settings to default by closing The Bat! and renaming "SMIME.INI" to "SMIME.INI.BAK" in: %AppData%\The Bat!\, but do so at your own risk as I'm only assuming that's all it does.)

Try these settings:

Options ->
S/MIME and TLS... ->

Note: Here, it's much easier to just post an image: https://imgur.com/a/T7Y0rCo - You can click on the image to zoom in at the link.
Edited: cyb0rg - 07 April 2020 19:10:32
 

If the certificate has a "Key Usage" extension, it has both of the following: (1) "digitalSignature", (2) "keyEncipherment" or "keyAgreement".

If the certificate has a "Extended Key Usage" extension, it has to include "serverAuth".

If none of the above conditions are met, The Bat! reports "The certificate cannot be used for this purpose" error during TLS.

This does not depend on a public key algorithm used by the certificate, e.g. whether it is ECC or RSA.

I have found this certificate at https://crt.sh/?id=2528368628

It seems that it does only have "digitalSignature", not  "keyEncipherment" or "keyAgreement". We will check this issue ASAP.

 
I came here to write about this very same problem, I thought it was related to the fact that yesterday I installed the new browser Edge based on Chromium but since you're having the same problem, it shouldn't be it.

The problem comes and goes. I hope a solution is found soon!

Edit:

Difference between a failed and a successful attempt:
Code
07/04/2020, 13:18:14: FETCH - receiving mail messages
07/04/2020, 13:18:14: FETCH - Connecting to POP3 server pop.gmail.com on port 995
07/04/2020, 13:18:14: FETCH - Initiating TLS handshake
>07/04/2020, 13:18:14: FETCH - Certificate S/N: 22DECAF1316813D2080000000035ED3F, algorithm: 1.2.840.10045.2.1 (256 bits), issued from 3/24/2020 6:48:03 AM to 6/16/2020 6:48:03 AM, for 1 host(s): pop.gmail.com.
>07/04/2020, 13:18:14: FETCH - Owner: US, California, Mountain View, Google LLC, pop.gmail.com.
>07/04/2020, 13:18:14: FETCH - Issuer: US, Google Trust Services, GTS CA 1O1.
!07/04/2020, 13:18:14: FETCH - TLS handshake failure. Invalid server certificate. The certificate cannot be used for this purpose
07/04/2020, 13:29:08: FETCH - receiving mail messages
07/04/2020, 13:29:08: FETCH - Connecting to POP3 server pop.gmail.com on port 995
07/04/2020, 13:29:08: FETCH - Initiating TLS handshake
>07/04/2020, 13:29:08: FETCH - Certificate S/N: 00D80446EA4406BA970800000000320A6A, algorithm: RSA (2048 bits), issued from 3/3/2020 9:44:10 AM to 5/26/2020 9:44:10 AM, for 1 host(s): pop.gmail.com.
>07/04/2020, 13:29:08: FETCH - Owner: US, California, Mountain View, Google LLC, pop.gmail.com.
>07/04/2020, 13:29:08: FETCH - Issuer: US, Google Trust Services, GTS CA 1O1.
07/04/2020, 13:29:08: FETCH - TLS handshake complete
07/04/2020, 13:29:09: FETCH - connected to POP3 server
07/04/2020, 13:29:10: FETCH - authenticated (plain)
07/04/2020, 13:29:10: FETCH - 2 messages in the mailbox, 2 new

RSA (2048 bits) works.  
Edited: RangoX - 07 April 2020 21:36:50
 
Quote
Maxim Masiutin wrote:
If the certificate has a "Key Usage" extension, it has include one of the following: "digitalSignature" or "keyEncipherment" or "keyAgreement".     If the certificate has a "Extended Key Usage" extension, it has to include "serverAuth".     If none of the above conditions are met, The Bat! reports "The certificate cannot be used for this purpose" error during TLS.     This does not depend on a public key algorithm used by the certificate, e.g. whether it is ECC or RSA.

So, why did the problem start today and what can be done about it?  
 
The RSA certificate https://crt.sh/?id=2528346226 has both "Digital Signature" and "Key Encipherment" while the ECC one https://crt.sh/?id=2528368628 does only have "Digital Signature". We are not yet sure whether a server certificate may have "Digital Signature" only, since it is anyway used for key agreement.
 
We will research this issue ASAP and probably release an updated version of The Bat!
 
For what it's worth, I was having same problem today and I changed TLS certificate option to use Microsoft and set port to 465 and it's working.

david
using version 9.1.6.4  64-bit
Edited: david kirk - 07 April 2020 22:13:58
 
Quote
david kirk wrote:
For what it's worth, I was having same problem today and I changed TLS certificate option to use Microsoft and set port to 465 and it's working.

david
using version 9.1.6.4  64-bit

I tried the same but it only worked for a while...
 
Quote
RangoX wrote:
Quote
david kirk wrote:
For what it's worth, I was having same problem today and I changed TLS certificate option to use Microsoft and set port to 465 and it's working.

david
using version 9.1.6.4  64-bit
I tried the same but it only worked for a while...

Doesn't even let me send once. :-)

If this really does come down to which actual Google servers I am connecting to, I am having bad luck with it today. I can check my mail most times, but I have not been able to send my out box all day.
 
I appreciate all the help above to try a work around, and knowing an Admin (Maxim Masiutin) said a fix is being explored right now is great.
Hopefully Ritlabs can find the solution asap. I'm dead in the water until then.
Thanks everyone!
Pages: 1 2 3 4 5 Next