SMTP not connecting to Exchange server. EOF occurred in violation of protocol (_ssl.c:1000)

[nvasoft]

Hi.
I have Paton 3.8 on Ubuntu, for Elastalert2 an alternatives to Python 3.12.
I have verified that elastalert2 sends alerts via external email services.
But when sending an alert via an internal Exchange server:
python -m elastalert.elastalert --rule rules/DNS/01HDNS_Spyware_m.yaml --config ./config.yaml
the error comes out:
ERROR:elastalert:Error while running alert email: Error connecting to SMTP host: EOF occurred in violation of protocol (_ssl.c:1000)
tspdump shows

It is not possible to determine why the Exchange server closes the socket because logs are not stored on the Exchange server.

On the other hand, when I connect to the Exchange server via OpenSSL:
openssl s_client -starttls smtp -connect <'host'>:25

New, SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA

maybe Python 3.12 doesn't support this type of AES128 encryption?

For the test, I wrote a working script my_email.py that sends mail using python3.8. In the alternative python3.12 this script produces the same error:

Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/opt/elastalert2/my_email.py", line 20, in <module>
    sendemail(from_addr    = 'MyName@xxx.com',
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/elastalert2/my_email.py", line 14, in sendemail
    server.starttls()
  File "/usr/local/lib/python3.12/smtplib.py", line 779, in starttls
    self.sock = context.wrap_socket(self.sock,
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/ssl.py", line 455, in wrap_socket
    return self.sslsocket_class._create(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/ssl.py", line 1046, in _create
    self.do_handshake()
  File "/usr/local/lib/python3.12/ssl.py", line 1317, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLEOFError: EOF occurred in violation of protocol (_ssl.c:1000)

ssl.SSLEOFError: EOF occurred in violation of protocol (_ssl.c:1000)

[jertel]

Thank you for taking the time to create a separate discussion on this. Others will be able to more easily find this discussion if they run into a similar error.

I'm curious why you do not store Exchange server logs. Is that intentional? Those logs are going to be critical for future forensics. Additionally, without them you are blind as to the underlying TLS connection problem.

What has caught my eye in the above post is this line: Protocol : TLSv1. That cipher has some security deficiencies, and the computing industry has largely disabled and removed support for it. As of Python 3.10, TLS v1 has been deprecated. It may be possible to force it to support it, but I don't have this information on hand.

From the information you've provided it appears that your Exchange server is antiquated and needs to be updated to support modern encryption ciphers. If you do not intend to upgrade Exchange then you may have no alternative but to downgrade ElastAlert 2 to a version equivalent to that Exchange server's version era. Perhaps even switch back to the deprecated original ElastAlert, which is quite old.

[nvasoft]

Yes it is possible. And now my Ubuntu supports TLSv1. here is the link where it is described
#https://discourse.ubuntu.com/t/default-to-tls-v1-2-in-all-tls-libraries-in-20-04-lts/12464/7
and I thought I had solved the problem, but then Python 3.12 intervened :)

[nvasoft]

I used the following settings in the config file /etc/ssl/openssl.cnf

[default_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MinProtocol = TLSv1
CipherString = DEFAULT@SECLEVEL=1

[nvasoft]

In the latest versions of Python, starting at Python 3.10, the default cipher suites for the TLS library have changed. I tried to specify the AES128 cipher, and also tried the default settings for the context

    ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
#    ssl_context = ssl.create_default_context()
#    ssl_context.options &= (
#        ~getattr(ssl, "OP_NO_TLSv1_3", 0)
#        & ~ssl.OP_NO_TLSv1_2
#        & ~ssl.OP_NO_TLSv1_1
#    )
#    ssl_context.minimum_version = ssl.TLSVersion.SSLv3
    ssl_context.minimum_version = ssl.TLSVersion.TLSv1
    ssl_context.check_hostname = False
    ssl_context.verify_mode = ssl.CERT_NONE
#    ssl_context.set_ciphers('AES256-SHA:DHE-RSA-AES256-SHA:AES128-SHA:DHE-RSA-AES128-SHA')
#    ssl_context.set_ciphers("AES128-SHA")
    ssl_context.set_ciphers("DEFAULT")

two weeks wasted, and the truth is out there.
But I found another solution, I accidentally found out that there is a server for communicating with the outside world that has a new TLS and cipher )