MailKit: MailKit.Security.SslHandshakeException misleading error actually due to missing libcurl library

This was a vexing problem that I found a solution for and am posting in case anyone else runs into this issue.

I have a asp.net Core 2.1 project with Mailkit 2.0.5 on Ubuntu 16.04.4 and a Surgemail mail server we host ourselves.

The application is an internal company app that uses IMAP to check for mail and display it in a web page. It worked fine on a Windows server for months. We recently ported our online services to Linux so I installed it on Linux with the .net 2.1 runtime and got the error stack trace in the block below when using IMAP to connect to the mail server.

Because the error specifically states it’s a certificate issue I spent a lot of time trying many different things including opening the mail server non SSL port for IMAP and turning off SSL in my code completely, everything worked no matter what I did on my local Windows dev station but not on the Linux server.

When I completely turned off SSL in MailKit and also overrode the certificate check and it still gave the same error about the certificate I knew something more was up.

The resolution turned out to be a missing pre-requisite that was not installed with the .net runtime libcurl.

After running the following command it immediately started working without error:

apt-get install libcurl3

So it seems .net 2.1 runtime installation doesn’t actually install all the pre-requisites required for Mailkit.

It’s a bit strange that this particular error message comes up when a library is missing and all SSL options are turned off.

I hope this helps someone else in future.

(MailKit.Security.SslHandshakeException: An error occurred while attempting to establish an SSL or TLS connection.

The SSL certificate presented by the server is not trusted by the system for one or more of the following reasons:
1. The server is using a self-signed certificate which cannot be verified.
2. The local system is missing a Root or Intermediate certificate needed to verify the server's certificate.
3. The certificate presented by the server is expired or invalid.

See https://github.com/jstedfast/MailKit/blob/master/FAQ.md#InvalidSslCertificate for possible solutions. ---> System.TypeInitializationException: The type initializer for 'Http' threw an exception. ---> System.TypeInitializationException: The type initializer for 'HttpInitializer' threw an exception. ---> System.DllNotFoundException: Unable to load shared library 'System.Net.Http.Native' or one of its dependencies. In order to help diagnose loading problems, consider setting the LD_DEBUG environment variable: libSystem.Net.Http.Native: cannot open shared object file: No such file or directory
   at Interop.Http.GetSslVersionDescription())

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 7
  • Comments: 26 (8 by maintainers)

Most upvoted comments

MailKit will toggle into SSL mode using the STARTTLS command if it is available unless you use SecureSocketOptions.None in the Connect() method that takes a SecureSocketOptions argument (as opposed to true/false).

Hope that helps.

+7
jstedfast on Jul 14, 2018

@DekeYan I recently found a solution to this. Before calling the client.Connect(), set client.CheckCertificateRevocation to false.

+6
darktimes on May 21, 2019

I seem to have a simular issue. I get the same message on asp.net core 2.1 project in Docker. I use the microsoft/dotnet:2.1-aspnetcore-runtime image (latest), but with older versions I had the same issue. When I run the same code locally (macos without Docker) the exception doesn’t appear, and it works fine. libcurl3 is up to date on the Docker image.

I now resolved it by added the ServerCertificateValidationCallback and returning true. Not the best solution, but I’m out of options to get it working.

  client.ServerCertificateValidationCallback = (object sender,
                X509Certificate certificate,
                X509Chain chain,
                SslPolicyErrors sslPolicyErrors) => true;

The certificate is from LetsEncrypt. I also tried to update the root ca certificates, but also no luck. Could it be there is some issue with a missing CA?

+4
PeterHagen on Nov 28, 2018

I encountered the same issue: mailkit has been able to connect to the mailserver (aruba.it) on windows and Linux (ubuntu), but not running inside the docker image. Finally, I found that it works with the “mcr.microsoft.com/dotnet/core/aspnet:3.1-alpine” docker image, which seems to have other openssl settings.

Hope this helps others

+2
haraldkofler on Jul 15, 2020

@PeterHagen I have prepare a bot in Email automation I have not run See https://github.com/jstedfast/MailKit/blob/master/FAQ.md#InvalidSslCertificate for possible solutions. please reslove the problem

+1
Vishujai on May 13, 2020

I have prepare a bot in Email automation I have not run See https://github.com/jstedfast/MailKit/blob/master/FAQ.md#InvalidSslCertificate for possible solutions. please reslove the problem

+1
Vishujai on May 13, 2020

The CheckCertificateRevocation option is simply passed to System.Net.Security.SslStream.

If SslStream is failing to check certificate revocation, it means that the CA server is unavailable for CRL requests.

There is no solution that you can do as a client. It MUST be fixed by the CA and/or the server.

+1
jstedfast on May 28, 2019
Read more comments on GitHub
← MailKit: MailKit fails to authenticate against shaw.ca mailserver
MailKit: MimeKit.ParseException: Invalid local-part at offset 0 on Gmail Imap →