0 votes

I obtain this error connecting to many customers account:
A call to SSPI failed, see inner exception.

Inner exception:
The message received was unexpected or badly formatted

The stack trace:

at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
   at UserQuery.Main()

The OS: Windows Server 2016 Datacenter

The server is "mail.postecert.it"

Before of some days ago, the system worked for years.

by (430 points)

1 Answer

+1 vote

I have no problem connecting to this server using TLS 1.0:

using (var client = new Imap())
{
    client.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls;
    client.ConnectSSL("mail.postecert.it");

    client.Close();
}

TLS 1.1 and TLS 1.2 aren't suppored by this server:

using (var client = new Imap())
{
    client.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls12;
    client.ConnectSSL("mail.postecert.it");

    client.Close();
}

Exception:

System.Security.Authentication.AuthenticationException : A call to SSPI failed, see inner exception.
  ----> System.ComponentModel.Win32Exception : The client and server cannot communicate, because they do not possess a common algorithm

You can try forcing TLS 1.0:

client.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls;
client.ConnectSSL("mail.postecert.it");

Of course, and I can't stress that enough, the mail server (mail.postecert.it) should allow TLS 1.2.

by (297k points)
I tried:

    client.SSLConfiguration.EnabledSslProtocols = SslProtocols.Tls;
    client.ConnectSSL(configuration.Host, configuration.Port);

But I get the same error.
It looks like something is incorrectly configured on your client machine.

Can you download IIS Crypto GUI:
https://www.nartac.com/Products/IISCrypto/Download

..and on cipher suites tab, make sure TLS_RSA_WITH_3DES_EDE_CBC_SHA is turned on (machine restart is needed).

I check on my machine and TLS_RSA_WITH_3DES_EDE_CBC_SHA is the cypher suite, that mail.postecert.it wants to use.

When I turn off TLS_RSA_WITH_3DES_EDE_CBC_SHA using IISCrypto, I get the same error as you ("The message received was unexpected or badly formatted")

Of course, and I can't stress that enough, the biggest problem is that mail server (mail.postecert.it) is using TLS 1.0 with weak cypher suite - it should allow TLS 1.2

TLS 1.0 especially with TLS_RSA_WITH_3DES_EDE_CBC_SHA is not considered secure anymore.
...