7 Replies Latest reply on Dec 31, 2013 12:43 AM by ricardoarguello

    Custom ssl configuration in mail subsystem

    lehvolk

      Hello.

       

      I'm using JBoss 7.1  and try to use mail subsystem, but my smtp server has server certificate that should be trusted. Is there any way to configure connection to server using ssl with certificates (like connector for web-subsystem)?

       

      here is mail substem configuration:

              <subsystem xmlns="urn:jboss:domain:mail:1.0">

                  <mail-session jndi-name="java:jboss/mail/Default">

                      <smtp-server outbound-socket-binding-ref="mail-smtp" ssl="true">

                                  <login name="login" password="password" />

                      </smtp-server>

                  </mail-session>

              </subsystem>

      ....

                 <outbound-socket-binding name="mail-smtp">

                     <remote-destination host="server.url" port="587"/>

                </outbound-socket-binding>

       

       

      When I try to send mail I have this exception:

       

      Caused by: javax.mail.MessagingException: Could not connect to SMTP host: server.url, port: 587;

        nested exception is:

                javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

                at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1934)

                at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:638)

                at javax.mail.Service.connect(Service.java:317)

                at javax.mail.Service.connect(Service.java:176)

                at javax.mail.Service.connect(Service.java:125)

                at javax.mail.Transport.send0(Transport.java:194)

                at javax.mail.Transport.send(Transport.java:124)

                at test.base.SendEmailBean.construct(SendEmailBean.java:32)

                ... 39 more

      Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

                at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) [jsse.jar:1.7.0_05]

                at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1868) [jsse.jar:1.7.0_05]

                at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276) [jsse.jar:1.7.0_05]

                at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270) [jsse.jar:1.7.0_05]

                at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1338) [jsse.jar:1.7.0_05]

                at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:154) [jsse.jar:1.7.0_05]

                at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) [jsse.jar:1.7.0_05]

                at sun.security.ssl.Handshaker.process_record(Handshaker.java:804) [jsse.jar:1.7.0_05]

                at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:998) [jsse.jar:1.7.0_05]

                at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1294) [jsse.jar:1.7.0_05]

                at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1321) [jsse.jar:1.7.0_05]

                at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1305) [jsse.jar:1.7.0_05]

                at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:507)

                at com.sun.mail.util.SocketFetcher.getSocket(SocketFetcher.java:238)

                at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1900)

                ... 46 more

      Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

                at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) [rt.jar:1.7.0_05]

                at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) [rt.jar:1.7.0_05]

                at sun.security.validator.Validator.validate(Validator.java:260) [rt.jar:1.7.0_05]

                at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) [jsse.jar:1.7.0_05]

                at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) [jsse.jar:1.7.0_05]

                at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) [jsse.jar:1.7.0_05]

                at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1320) [jsse.jar:1.7.0_05]

                ... 56 more

      Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

                at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) [rt.jar:1.7.0_05]

                at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) [rt.jar:1.7.0_05]

                at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) [rt.jar:1.7.0_05]

                ... 62 more

        • 1. Re: Custom ssl configuration in mail subsystem
          ctomc

          Hi,

           

          you need to configure system truststore to include also CA that your mail server uses.

           

          there are many ways to do that, one is to modify system truststore (the one that is part of jdk)

          or create your own truststore and then configure jboss (jvm) to use it.

           

          here are some examples what and how you can do that: http://fusesource.com/docs/broker/5.3/security/SSL-SysProps.html

          choose what is easier for you.

           

          if you go with custom truststore then you need to configure (add) this java opts to starting jboss:

           

          -Djavax.net.ssl.trustStore=/path/to/your/truststore.jks -Djavax.net.ssl.trustStorePassword=password

          and optionaly -Djavax.net.ssl.trustStoreType if you use p12 keystore instead of jks.

           

          --

          tomaz

          1 of 1 people found this helpful
          • 2. Re: Custom ssl configuration in mail subsystem
            lehvolk

            Yep, this works fine.

             

            But in the begining I expect that there is way to configure it from standalone.xml. Now I think that there is now such way. I lookup xsd schemes for standalone.xml but didn't find any solution of how to do that.

            • 3. Re: Custom ssl configuration in mail subsystem
              ctomc

              Hi,

               

              for now there is no such option, but i think we could add it in future.

              If you are up for it, can you create "feature request" in jira so we don't forget about it.

               

               

              --

              tomaz

              • 4. Re: Custom ssl configuration in mail subsystem
                lehvolk
                • 5. Re: Custom ssl configuration in mail subsystem
                  ctomc

                  tnx

                  • 6. Re: Re: Custom ssl configuration in mail subsystem
                    ricardoarguello

                    To implement this you should add support for security-realms to the mail subsystem.

                     

                    Something like:

                     

                    <security-realm name="SelfSignedMailServerCertRealm">

                      <server-identities>

                        <ssl>

                          <keystore path="mailserver.keystore" relative-to="jboss.server.config.dir" alias="mailserver" keystore-password="secret" />

                        </ssl>

                      </server-identities>

                    </security-realm>

                    ...

                    <mail-session name="default" jndi-name="java:jboss/mail/Mailserver">

                      <smtp-server outbound-socket-binding-ref="mailserver-smtp" ssl="true" security-realm="SelfSignedMailServerCertRealm">

                        <login name="user@mailserver.com" password="password" />

                      </smtp-server>

                    </mail-session>

                    ...

                    <outbound-socket-binding name="mailserver-smtp">

                    <remote-destination host="smtp.mailserver.com" port="465"/>

                    </outbound-socket-binding>

                     

                     

                    What do you think?

                    • 7. Re: Custom ssl configuration in mail subsystem
                      ricardoarguello

                      Hey,

                       

                      I just realized it makes no sense to add a security-realm to the mail subsystem! Sorry about that.

                       

                      I tested a custom configuration on a WildFly 8 CR1 server, and the scenario you were asking for is already supported on WildFly 8! You just need to declare a "custom server", and add the "mail.smtp.ssl.trust" property, which lets your ignore invalid SSL certificates for a hostname:

                       

                      <mail-session name="default" jndi-name="java:jboss/mail/Default">

                        <custom-server name="smtp" outbound-socket-binding-ref="mail-smtp" ssl="true" username="user@exampledotcom" password="mypass">

                          <property name="mail.smtp.ssl.trust" value="smtp.example.com" />

                        </custom-server>

                      </mail-session>

                      ...

                      <outbound-socket-binding name="mail-smtp">

                        <remote-destination host="smtp.example.com" port="465"/>

                      </outbound-socket-binding>

                       

                      I think it makes no sense to keep open WFLY-1159.

                       

                      Greetings,

                       

                      --

                      Ricardo Arguello