Hi Thomas,
I check with my test case and update the documentation accordingly
Thanks,
Siegfried Goeschl
On 09.10.13 22:42, Thomas Neidhart wrote:
On 10/09/2013 12:26 PM, Carl Erberg wrote:
Hi,
in the user guide to commons email
http://commons.apache.org/proper/commons-email/userguide.html
I found the rather surprising statement:
"When using a secured transport (STARTTLS or SSL) you can force validating
the server's certificate by calling Email.setSSLCheckServerIdentity(true).
Having said that this does not seem to work on any of my test servers
(GMAIL, GMX)."
I can confirm that my code also does not complain when I test it against a
server with a self signed certificate. setSSLCeckServerIdentity not working
means that commons email is vulnerable to MiTM attacks.
Is there a fix for this? Am I doing something wrong? Some misunderstanding?
Any workaround? Is the user guide wrong?
[ I would not discuss such a security issue on a public mailing list, if it
wasn't already disclosed in the user guide ]
Hi Carl,
I have tested sending emails to GMAIL and a local postfix installation
with a self-signed certificate.
For the purpose of debugging the ssl handshake, I enabled the following
debug switch: System.setProperty("javax.net.debug", "all");
Results:
* GMAIL: SSL and TLS work fine, the gmail server certificate is
reported as trusted:
Found trusted certificate:
[
[
Version: V3
Subject: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
....
* LOCAL:
- without adding my local certificate to my trustStore, I get the
following exception:
Caused by: sun.security.validator.ValidatorException: PKIX path
building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)
at sun.security.validator.Validator.validate(Validator.java:203)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
at
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841)
... 45 more
Caused by:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
at
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
... 50 more
- after adding the certificate to my trustStore, I can successfully
connect to the server and send emails
So it seems to work fine for me. The problem stated in the userguide may
relate to a time where the root CA (Equifax Secure Certificate
Authority) of the gmail certificate was not yet in the default
trustStore (it is now btw).
Best regards,
Thomas
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
For additional commands, e-mail: user-h...@commons.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@commons.apache.org
For additional commands, e-mail: user-h...@commons.apache.org
