Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tls parameters in imap/smpt sessions #724

Open
synim503 opened this issue Mar 14, 2024 · 3 comments
Open

Tls parameters in imap/smpt sessions #724

synim503 opened this issue Mar 14, 2024 · 3 comments

Comments

@synim503
Copy link

Our mail server accepts requests with a certain set of cipher suites, extensions, EllipticCurves,EllipticCurvePointFormats. And if cipher suites is set by the parameter mail.smtp.ssl.ciphersuites (at least in java mail), it is not clear with the other parameters. And I tried to change ciphersuites in jakarta.mail, it didn't work.

String cipherSuites = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,...";
props.put("mail.smtp.ssl.ciphersuites", cipherSuites);

And so the question:

How in imap/smpt connection do I replace:

  1. cipher suites
  2. extensions
  3. EllipticCurves
  4. EllipticCurvePointFormats
@jmehrens
Copy link
Contributor

Re-test with system property mail.socket.debug=true (not a session property). As in java -Dmail.socket.debug=true -jar my.app This will output information on what ciphers were set based on your session properties. You should see log lines in system out that start with SSL enabled protocols after and SSL enabled ciphers after that will reflect the state of the sslsocket after reading your properties.

There is also system property java.security.debug. Which has multiple options for debugging.

Start with verifying what you have set in the mail properties for ciphers is actually being set on the ssl socket.

@synim503
Copy link
Author

@jmehrens The problem was that some encryption methods were already obsolete and considered insecure, and were disabled at the jvm level. But the problem remained with the extensions, EllipticCurves, EllipticCurvePointFormats. Is there any possibility to change them? Or because of the complexity of this procedure, is it more rational to change the acceptable tls fingerprints accepted by the mail server?

@jmehrens
Copy link
Contributor

Mail just sits on top of Java Secure Socket Extension (JSSE) so keep in mind that most of the configuration you are looking for is in the JSSE reference guilde from the FAQ link I provided. It takes some digging through that guide but, it usually has an answer. Basically, if you configure JSSE, mail will just use it.

We do enable some configuration of sockets via mail properties (cipher and protocol) but for anything more complex you would use the mail.smtp.ssl.socketFactory or mail.smtp.ssl.socketFactory.class to control all aspects of configuring a socket.

Bouncycastle has some pluggable security providers too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jmehrens @synim503