subject:" Re\: Geronimo Java Mail 1.6 in TomEE 8.0.5 \-> TLS 1.2 \/ 1.3 Support\?"

Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

2020-12-04 Thread Zowalla, Richard

Hi,

I filled a JIRA [1] to address the issues related to cypher suites. 

Yes, the original PR changes are related to STARTLS code, but I think,
that we are fine (at least for now).

Gruss
Richard


[1] https://issues.apache.org/jira/browse/GERONIMO-6793

Am Donnerstag, den 03.12.2020, 20:55 + schrieb Bernd Eckenfels:
> Hello,
> 
> Yes I agree, the ciphers would be its own (security) issue.
> 
>  and it might be not so simple to fix as Mail servers are notoriously
> outdated and TLS-sloppy. Luckily JDK has already some provisions for
> demoting old/deprecated ciphers and also disable most of the not
> useable insecure ones in the supported list (but still this weakening
> of the JDK defaults should be opt-in).
> 
> BTW i haven’t checked all of the code, if you are requesting TLS
> context, there might be another point to look out for protocol names
> (very unfortunate API design I must say). I imagine this might be
> needed for STARTLS code?
> 
> Gruss
> Bernd
> 
> 
> --
> http://bernd.eckenfels.net
> 
>  
> Von: Zowalla, Richard 
> Gesendet: Donnerstag, Dezember 3, 2020 1:48 PM
> An: dev@geronimo.apache.org
> Betreff: Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 /
> 1.3 Support?
>  
> 
> Hi Bernd,
> 
> @1: I think the original intention of the code (before the PR) was to
> disallow the use of sslv2 or sslv3 for the tls handling code thus the
> hard-coding to tlsv1 as ssl is handled in another part of the class.
> But I agree, that we could remove the "else" and consequently all
> kind
> of hard-coded TLS config. In this way, we would trust in the jdk
> defaults. 
> 
> @2: I think, that the aspect related to cyphers would be a separate
> issue / PR. I agree, that enabling all available cyphers (L602/L603)
> is
> not a good idea in general, but this code hasn't changed in the
> proposed PR :)
> 
> 
> wdyt?
> 
> Best
> Richard
> 
> Am Donnerstag, den 03.12.2020, 12:11 + schrieb Bernd Eckenfels:
> > Hello,
> > 
> > Allowing protocols to be configured is good, but I am not sure why
> > you fall back to a hand selected list of no configuration is given,
> > why not simply use the JDK defaults, they are frequently adjusted
> > (just recently the older TLS versions get removed).
> > 
> > Along this line, why enable all supported ciphers? There is a good
> > reason why the JDK disables many. I would stick to the default
> > ciphers (and protocols).
> > 
> > Gruss
> > Bernd
> > --
> > http://bernd.eckenfels.net
> >  
> > Von: Zowalla, Richard 
> > Gesendet: Mittwoch, Dezember 2, 2020 4:57 PM
> > An: dev@geronimo.apache.org
> > Betreff: Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 /
> > 1.3 Support?
> >  
> > Should be fixed now.
> > 
> > Am Mittwoch, den 02.12.2020, 15:32 + schrieb Zowalla, Richard:
> > > It is indeed
> > > 
> > > mail..ssl.socketFactory.class
> > > 
> > > (see line 88, MailConnection#MAIL_SSL_FACTORY_CLASS -> uses
> > > reflection to create an instance of the specified factory.
> > > 
> > > or
> > > 
> > > mail..ssl.socketFactory
> > > 
> > > (which requires adding a pre-configured and instantiated factory
> > > instance into the properties of the mail session)
> > > 
> > > To be complete, I will add this way to the README as well.
> > > 
> > > Am Mittwoch, den 02.12.2020, 16:24 +0100 schrieb Romain Manni-
> > Bucau:
> > > > Isnt the property mail..ssl.socketFactory ?
> > > > 
> > > > Romain Manni-Bucau
> > > > @rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
> > > > 
> > > > 
> > > > Le mer. 2 déc. 2020 à 16:09, Zowalla, Richard <
> > > > richard.zowa...@hs-heilbronn.de> a écrit :
> > > > > Okay. Thanks for the feedback - today, I learned a lot about
> > the
> > > > > insides of Javamail :)
> > > > > 
> > > > > I have updated my PR:
> > > > > 
> > > > > - Updated README.txt to contain some documentation about
> > setting
> > > > > a
> > > > > custom ssl socket factory
> > > > > - Dropped TLSv1 in the fallback protocols (if no custom set
> > > > > properties
> > > > > are present)
> > > > > 
> > > > > Thanks,
> > > > > Richard
> > > > > 
> > > > > 
> > > > > Am Mittwoch, den 02.12.2020, 15:29 +0100 schrieb

Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

2020-12-03 Thread Bernd Eckenfels

Hello,

Yes I agree, the ciphers would be its own (security) issue.

 and it might be not so simple to fix as Mail servers are notoriously outdated 
and TLS-sloppy. Luckily JDK has already some provisions for demoting 
old/deprecated ciphers and also disable most of the not useable insecure ones 
in the supported list (but still this weakening of the JDK defaults should be 
opt-in).

BTW i haven’t checked all of the code, if you are requesting TLS context, there 
might be another point to look out for protocol names (very unfortunate API 
design I must say). I imagine this might be needed for STARTLS code?

Gruss
Bernd


--
http://bernd.eckenfels.net


Von: Zowalla, Richard 
Gesendet: Donnerstag, Dezember 3, 2020 1:48 PM
An: dev@geronimo.apache.org
Betreff: Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

Hi Bernd,

@1: I think the original intention of the code (before the PR) was to
disallow the use of sslv2 or sslv3 for the tls handling code thus the
hard-coding to tlsv1 as ssl is handled in another part of the class.
But I agree, that we could remove the "else" and consequently all kind
of hard-coded TLS config. In this way, we would trust in the jdk
defaults.

@2: I think, that the aspect related to cyphers would be a separate
issue / PR. I agree, that enabling all available cyphers (L602/L603) is
not a good idea in general, but this code hasn't changed in the
proposed PR :)


wdyt?

Best
Richard

Am Donnerstag, den 03.12.2020, 12:11 + schrieb Bernd Eckenfels:
> Hello,
>
> Allowing protocols to be configured is good, but I am not sure why
> you fall back to a hand selected list of no configuration is given,
> why not simply use the JDK defaults, they are frequently adjusted
> (just recently the older TLS versions get removed).
>
> Along this line, why enable all supported ciphers? There is a good
> reason why the JDK disables many. I would stick to the default
> ciphers (and protocols).
>
> Gruss
> Bernd
> --
> http://bernd.eckenfels.net
>
> Von: Zowalla, Richard 
> Gesendet: Mittwoch, Dezember 2, 2020 4:57 PM
> An: dev@geronimo.apache.org
> Betreff: Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 /
> 1.3 Support?
>
> Should be fixed now.
>
> Am Mittwoch, den 02.12.2020, 15:32 + schrieb Zowalla, Richard:
> > It is indeed
> >
> > mail..ssl.socketFactory.class
> >
> > (see line 88, MailConnection#MAIL_SSL_FACTORY_CLASS -> uses
> > reflection to create an instance of the specified factory.
> >
> > or
> >
> > mail..ssl.socketFactory
> >
> > (which requires adding a pre-configured and instantiated factory
> > instance into the properties of the mail session)
> >
> > To be complete, I will add this way to the README as well.
> >
> > Am Mittwoch, den 02.12.2020, 16:24 +0100 schrieb Romain Manni-
> Bucau:
> > > Isnt the property mail..ssl.socketFactory ?
> > >
> > > Romain Manni-Bucau
> > > @rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
> > >
> > >
> > > Le mer. 2 déc. 2020 à 16:09, Zowalla, Richard <
> > > richard.zowa...@hs-heilbronn.de> a écrit :
> > > > Okay. Thanks for the feedback - today, I learned a lot about
> the
> > > > insides of Javamail :)
> > > >
> > > > I have updated my PR:
> > > >
> > > > - Updated README.txt to contain some documentation about
> setting
> > > > a
> > > > custom ssl socket factory
> > > > - Dropped TLSv1 in the fallback protocols (if no custom set
> > > > properties
> > > > are present)
> > > >
> > > > Thanks,
> > > > Richard
> > > >
> > > >
> > > > Am Mittwoch, den 02.12.2020, 15:29 +0100 schrieb Romain Manni-
> > > > Bucau:
> > > > > Guess you can just create a readme in the geronimo-javamail
> > > > root
> > > > > project, will be sufficient as a first step.
> > > > > Abou he default I wonder if dropping tlsv1 cant be good since
> > > > it will
> > > > > be dropped soon?
> > > > > Otherwise just adding the missing "o" in protocols i'm fine
> > > > with your
> > > > > proposal.
> > > > >
> > > > > We need to refine if we do a javamail subsite or a generic
> spec
> > > > > subsite sill :s.
> > > > >
> > > > > Romain Manni-Bucau
> > > > > @rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
> > > > >
> > > > >
> > > > >

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

2020-12-03 Thread Zowalla, Richard

Hi Bernd,

@1: I think the original intention of the code (before the PR) was to
disallow the use of sslv2 or sslv3 for the tls handling code thus the
hard-coding to tlsv1 as ssl is handled in another part of the class.
But I agree, that we could remove the "else" and consequently all kind
of hard-coded TLS config. In this way, we would trust in the jdk
defaults. 

@2: I think, that the aspect related to cyphers would be a separate
issue / PR. I agree, that enabling all available cyphers (L602/L603) is
not a good idea in general, but this code hasn't changed in the
proposed PR :)


wdyt?

Best
Richard

Am Donnerstag, den 03.12.2020, 12:11 + schrieb Bernd Eckenfels:
> Hello,
> 
> Allowing protocols to be configured is good, but I am not sure why
> you fall back to a hand selected list of no configuration is given,
> why not simply use the JDK defaults, they are frequently adjusted
> (just recently the older TLS versions get removed).
> 
> Along this line, why enable all supported ciphers? There is a good
> reason why the JDK disables many. I would stick to the default
> ciphers (and protocols).
> 
> Gruss
> Bernd
> --
> http://bernd.eckenfels.net
>  
> Von: Zowalla, Richard 
> Gesendet: Mittwoch, Dezember 2, 2020 4:57 PM
> An: dev@geronimo.apache.org
> Betreff: Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 /
> 1.3 Support?
>  
> Should be fixed now.
> 
> Am Mittwoch, den 02.12.2020, 15:32 + schrieb Zowalla, Richard:
> > It is indeed
> > 
> > mail..ssl.socketFactory.class
> > 
> > (see line 88, MailConnection#MAIL_SSL_FACTORY_CLASS -> uses
> > reflection to create an instance of the specified factory.
> > 
> > or
> > 
> > mail..ssl.socketFactory
> > 
> > (which requires adding a pre-configured and instantiated factory
> > instance into the properties of the mail session)
> > 
> > To be complete, I will add this way to the README as well.
> > 
> > Am Mittwoch, den 02.12.2020, 16:24 +0100 schrieb Romain Manni-
> Bucau:
> > > Isnt the property mail..ssl.socketFactory ?
> > > 
> > > Romain Manni-Bucau
> > > @rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
> > > 
> > > 
> > > Le mer. 2 déc. 2020 à 16:09, Zowalla, Richard <
> > > richard.zowa...@hs-heilbronn.de> a écrit :
> > > > Okay. Thanks for the feedback - today, I learned a lot about
> the
> > > > insides of Javamail :)
> > > > 
> > > > I have updated my PR:
> > > > 
> > > > - Updated README.txt to contain some documentation about
> setting
> > > > a
> > > > custom ssl socket factory
> > > > - Dropped TLSv1 in the fallback protocols (if no custom set
> > > > properties
> > > > are present)
> > > > 
> > > > Thanks,
> > > > Richard
> > > > 
> > > > 
> > > > Am Mittwoch, den 02.12.2020, 15:29 +0100 schrieb Romain Manni-
> > > > Bucau:
> > > > > Guess you can just create a readme in the geronimo-javamail
> > > > root
> > > > > project, will be sufficient as a first step.
> > > > > Abou he default I wonder if dropping tlsv1 cant be good since
> > > > it will
> > > > > be dropped soon?
> > > > > Otherwise just adding the missing "o" in protocols i'm fine
> > > > with your
> > > > > proposal.
> > > > > 
> > > > > We need to refine if we do a javamail subsite or a generic
> spec
> > > > > subsite sill :s.
> > > > > 
> > > > > Romain Manni-Bucau
> > > > > @rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
> > > > > 
> > > > > 
> > > > > Le mer. 2 déc. 2020 à 15:26, Zowalla, Richard <
> > > > > richard.zowa...@hs-heilbronn.de> a écrit :
> > > > > > I updated the diff (cf. v2) to (hopefully) address the
> > > > concerns
> > > > > > raised
> > > > > > (if I understood them correctly).
> > > > > > 
> > > > > > If you point me to a location where I can add a README /
> > > > > > documentation,
> > > > > > I would be happy to fill another JIRA with a related PR to
> > > > document
> > > > > > the
> > > > > > usage of the custom ssl socket factory.
> > > > > > 
> > > > > > Am Mittwoch, den 02.12.2020, 13:58 + schrieb Zowalla,
> > &g

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

2020-12-03 Thread Bernd Eckenfels

Hello,

Allowing protocols to be configured is good, but I am not sure why you fall 
back to a hand selected list of no configuration is given, why not simply use 
the JDK defaults, they are frequently adjusted (just recently the older TLS 
versions get removed).

Along this line, why enable all supported ciphers? There is a good reason why 
the JDK disables many. I would stick to the default ciphers (and protocols).

Gruss
Bernd
--
http://bernd.eckenfels.net


Von: Zowalla, Richard 
Gesendet: Mittwoch, Dezember 2, 2020 4:57 PM
An: dev@geronimo.apache.org
Betreff: Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

Should be fixed now.

Am Mittwoch, den 02.12.2020, 15:32 + schrieb Zowalla, Richard:
> It is indeed
>
> mail..ssl.socketFactory.class
>
> (see line 88, MailConnection#MAIL_SSL_FACTORY_CLASS -> uses
> reflection to create an instance of the specified factory.
>
> or
>
> mail..ssl.socketFactory
>
> (which requires adding a pre-configured and instantiated factory
> instance into the properties of the mail session)
>
> To be complete, I will add this way to the README as well.
>
> Am Mittwoch, den 02.12.2020, 16:24 +0100 schrieb Romain Manni-Bucau:
> > Isnt the property mail..ssl.socketFactory ?
> >
> > Romain Manni-Bucau
> > @rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
> >
> >
> > Le mer. 2 déc. 2020 à 16:09, Zowalla, Richard <
> > richard.zowa...@hs-heilbronn.de> a écrit :
> > > Okay. Thanks for the feedback - today, I learned a lot about the
> > > insides of Javamail :)
> > >
> > > I have updated my PR:
> > >
> > > - Updated README.txt to contain some documentation about setting
> > > a
> > > custom ssl socket factory
> > > - Dropped TLSv1 in the fallback protocols (if no custom set
> > > properties
> > > are present)
> > >
> > > Thanks,
> > > Richard
> > >
> > >
> > > Am Mittwoch, den 02.12.2020, 15:29 +0100 schrieb Romain Manni-
> > > Bucau:
> > > > Guess you can just create a readme in the geronimo-javamail
> > > root
> > > > project, will be sufficient as a first step.
> > > > Abou he default I wonder if dropping tlsv1 cant be good since
> > > it will
> > > > be dropped soon?
> > > > Otherwise just adding the missing "o" in protocols i'm fine
> > > with your
> > > > proposal.
> > > >
> > > > We need to refine if we do a javamail subsite or a generic spec
> > > > subsite sill :s.
> > > >
> > > > Romain Manni-Bucau
> > > > @rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
> > > >
> > > >
> > > > Le mer. 2 déc. 2020 à 15:26, Zowalla, Richard <
> > > > richard.zowa...@hs-heilbronn.de> a écrit :
> > > > > I updated the diff (cf. v2) to (hopefully) address the
> > > concerns
> > > > > raised
> > > > > (if I understood them correctly).
> > > > >
> > > > > If you point me to a location where I can add a README /
> > > > > documentation,
> > > > > I would be happy to fill another JIRA with a related PR to
> > > document
> > > > > the
> > > > > usage of the custom ssl socket factory.
> > > > >
> > > > > Am Mittwoch, den 02.12.2020, 13:58 + schrieb Zowalla,
> > > Richard:
> > > > > > Thanks for your thoughs - I think, I get the idea.
> > > > > >
> > > > > > Maybe:
> > > > > >
> > > > > > - Using "mail.smtp.ssl.protocls" to allow easier
> > > configuration
> > > > > (as
> > > > > > proposed in the PR) for
> > > MailConnection#getConnectedTLSSocket() -
> > > > > > would
> > > > > > address 1.
> > > > > >
> > > > > > - To address 3. and pre-claim: PR would enable all
> > > protocols;
> > > > > maybe
> > > > > > address this concern by adding a default fallback pointing
> > > to
> > > > > TLSv1,
> > > > > > TLSv1.1, TLSv1.2 and TLS v1.3 (if supported) if no custom
> > > > > > configuration
> > > > > > via "mail.smtp.ssl.protocls" is present?
> > > > > >
> > > > > > - Documentation is always appreciated ;)
> > > > > >

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

2020-12-02 Thread Zowalla, Richard

Should be fixed now.

Am Mittwoch, den 02.12.2020, 15:32 + schrieb Zowalla, Richard:
> It is indeed
> 
> mail..ssl.socketFactory.class
> 
> (see line 88, MailConnection#MAIL_SSL_FACTORY_CLASS -> uses
> reflection to create an instance of the specified factory.
> 
> or
> 
> mail..ssl.socketFactory
> 
> (which requires adding a pre-configured and instantiated factory
> instance into the properties of the mail session)
> 
> To be complete, I will add this way to the README as well.
> 
> Am Mittwoch, den 02.12.2020, 16:24 +0100 schrieb Romain Manni-Bucau:
> > Isnt the property mail..ssl.socketFactory ?
> > 
> > Romain Manni-Bucau
> > @rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
> > 
> > 
> > Le mer. 2 déc. 2020 à 16:09, Zowalla, Richard <
> > richard.zowa...@hs-heilbronn.de> a écrit :
> > > Okay. Thanks for the feedback - today, I learned a lot about the
> > > insides of Javamail :)
> > > 
> > > I have updated my PR:
> > > 
> > > - Updated README.txt to contain some documentation about setting
> > > a
> > > custom ssl socket factory
> > > - Dropped TLSv1 in the fallback protocols (if no custom set
> > > properties
> > > are present)
> > > 
> > > Thanks,
> > > Richard
> > > 
> > > 
> > > Am Mittwoch, den 02.12.2020, 15:29 +0100 schrieb Romain Manni-
> > > Bucau:
> > > > Guess you can just create a readme in the geronimo-javamail
> > > root
> > > > project, will be sufficient as a first step.
> > > > Abou he default I wonder if dropping tlsv1 cant be good since
> > > it will
> > > > be dropped soon?
> > > > Otherwise just adding the missing "o" in protocols i'm fine
> > > with your
> > > > proposal.
> > > > 
> > > > We need to refine if we do a javamail subsite or a generic spec
> > > > subsite sill :s.
> > > > 
> > > > Romain Manni-Bucau
> > > > @rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
> > > > 
> > > > 
> > > > Le mer. 2 déc. 2020 à 15:26, Zowalla, Richard <
> > > > richard.zowa...@hs-heilbronn.de> a écrit :
> > > > > I updated the diff (cf. v2) to (hopefully) address the
> > > concerns
> > > > > raised
> > > > > (if I understood them correctly).
> > > > > 
> > > > > If you point me to a location where I can add a README /
> > > > > documentation,
> > > > > I would be happy to fill another JIRA with a related PR to
> > > document
> > > > > the
> > > > > usage of the custom ssl socket factory.
> > > > > 
> > > > > Am Mittwoch, den 02.12.2020, 13:58 + schrieb Zowalla,
> > > Richard:
> > > > > > Thanks for your thoughs - I think, I get the idea.
> > > > > > 
> > > > > > Maybe:
> > > > > > 
> > > > > > - Using "mail.smtp.ssl.protocls" to allow easier
> > > configuration
> > > > > (as
> > > > > > proposed in the PR) for
> > > MailConnection#getConnectedTLSSocket() -
> > > > > > would
> > > > > > address 1.
> > > > > > 
> > > > > > - To address 3. and pre-claim: PR would enable all
> > > protocols;
> > > > > maybe
> > > > > > address this concern by adding a default fallback pointing
> > > to
> > > > > TLSv1,
> > > > > > TLSv1.1, TLSv1.2 and TLS v1.3 (if supported) if no custom
> > > > > > configuration
> > > > > > via "mail.smtp.ssl.protocls" is present?
> > > > > > 
> > > > > > - Documentation is always appreciated ;)
> > > > > > 
> > > > > > Wdyt?
> > > > > > 
> > > > > > Am Mittwoch, den 02.12.2020, 14:41 +0100 schrieb Romain
> > > Manni-
> > > > > Bucau:
> > > > > > > Yes but issue that we don't want to enable them all too.
> > > > > > > So to be concrete what about:
> > > > > > > 
> > > > > > > 1. Enable a smoother configuration (to avoid a custom
> > > class)
> > > > > > > 2. Document the custom class case better (at least in a
> > > readme)
> > > > > > > 3. Change a bit default to inherit JVM ones
> > > > > > > 
> > > > > > > Think we should make the 3 to consider this case treated
> > > (does
> > > > > not
> > > > > > > mean it must be in the same PR but more before next
> > > release).
> > > > > > > Wdyt?
> > > > > > > 
> > > > > > > Romain Manni-Bucau
> > > > > > > @rmannibucau |  Blog | Old Blog | Github | LinkedIn |
> > > Book
> > > > > > > 
> > > > > > > 
> > > > > > > Le mer. 2 déc. 2020 à 13:20, Zowalla, Richard <
> > > > > > > richard.zowa...@hs-heilbronn.de> a écrit :
> > > > > > > > Ah sorry - I misunderstood your comment.
> > > > > > > > 
> > > > > > > > A custom socket factory would indeed fix the problem,
> > > but it
> > > > > is
> > > > > > > > rather undocumented.
> > > > > > > > 
> > > > > > > > Nevertheless I think, that the default fallback
> > > shouldn't be
> > > > > > > > hardcoded or at least support some more protocols...
> > > > > > > > 
> > > > > > > > Best and thanks for the idea,
> > > > > > > > Richard
> > > > > > > > 
> > > > > > > > Am Mittwoch, den 02.12.2020, 12:16 + schrieb
> > > Zowalla,
> > > > > > > > Richard:
> > > > > > > > > Honestly I didn't. I discovered the hard-coded
> > > > > > > > > String[]("TLSv1")
> > > > > > > > > in
> > > > > > > > > MailConnection#getConnectedTLSSocket(), which is
> > > (imho) a
> > > > > bit
> >

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

2020-12-02 Thread Zowalla, Richard

It is indeed
mail..ssl.socketFactory.class
(see line 88, MailConnection#MAIL_SSL_FACTORY_CLASS -> uses reflection
to create an instance of the specified factory.
or
mail..ssl.socketFactory
(which requires adding a pre-configured and instantiated factory
instance into the properties of the mail session)
To be complete, I will add this way to the README as well.
Am Mittwoch, den 02.12.2020, 16:24 +0100 schrieb Romain Manni-Bucau:
> Isnt the property mail..ssl.socketFactory ?
> Romain Manni-Bucau
> @rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
> 
> 
> Le mer. 2 déc. 2020 à 16:09, Zowalla, Richard <
> richard.zowa...@hs-heilbronn.de> a écrit :
> > Okay. Thanks for the feedback - today, I learned a lot about the
> > 
> > insides of Javamail :)
> > 
> > 
> > 
> > I have updated my PR:
> > 
> > 
> > 
> > - Updated README.txt to contain some documentation about setting a
> > 
> > custom ssl socket factory
> > 
> > - Dropped TLSv1 in the fallback protocols (if no custom set
> > properties
> > 
> > are present)
> > 
> > 
> > 
> > Thanks,
> > 
> > Richard
> > 
> > 
> > 
> > 
> > 
> > Am Mittwoch, den 02.12.2020, 15:29 +0100 schrieb Romain Manni-
> > Bucau:
> > 
> > > Guess you can just create a readme in the geronimo-javamail root
> > 
> > > project, will be sufficient as a first step.
> > 
> > > Abou he default I wonder if dropping tlsv1 cant be good since it
> > will
> > 
> > > be dropped soon?
> > 
> > > Otherwise just adding the missing "o" in protocols i'm fine with
> > your
> > 
> > > proposal.
> > 
> > > 
> > 
> > > We need to refine if we do a javamail subsite or a generic spec
> > 
> > > subsite sill :s.
> > 
> > > 
> > 
> > > Romain Manni-Bucau
> > 
> > > @rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
> > 
> > > 
> > 
> > > 
> > 
> > > Le mer. 2 déc. 2020 à 15:26, Zowalla, Richard <
> > 
> > > richard.zowa...@hs-heilbronn.de> a écrit :
> > 
> > > > I updated the diff (cf. v2) to (hopefully) address the concerns
> > 
> > > > raised
> > 
> > > > (if I understood them correctly).
> > 
> > > > 
> > 
> > > > If you point me to a location where I can add a README /
> > 
> > > > documentation,
> > 
> > > > I would be happy to fill another JIRA with a related PR to
> > document
> > 
> > > > the
> > 
> > > > usage of the custom ssl socket factory.
> > 
> > > > 
> > 
> > > > Am Mittwoch, den 02.12.2020, 13:58 + schrieb Zowalla,
> > Richard:
> > 
> > > > > Thanks for your thoughs - I think, I get the idea.
> > 
> > > > > 
> > 
> > > > > Maybe:
> > 
> > > > > 
> > 
> > > > > - Using "mail.smtp.ssl.protocls" to allow easier
> > configuration
> > 
> > > > (as
> > 
> > > > > proposed in the PR) for
> > MailConnection#getConnectedTLSSocket() -
> > 
> > > > > would
> > 
> > > > > address 1.
> > 
> > > > > 
> > 
> > > > > - To address 3. and pre-claim: PR would enable all protocols;
> > 
> > > > maybe
> > 
> > > > > address this concern by adding a default fallback pointing to
> > 
> > > > TLSv1,
> > 
> > > > > TLSv1.1, TLSv1.2 and TLS v1.3 (if supported) if no custom
> > 
> > > > > configuration
> > 
> > > > > via "mail.smtp.ssl.protocls" is present?
> > 
> > > > > 
> > 
> > > > > - Documentation is always appreciated ;)
> > 
> > > > > 
> > 
> > > > > Wdyt?
> > 
> > > > > 
> > 
> > > > > Am Mittwoch, den 02.12.2020, 14:41 +0100 schrieb Romain
> > Manni-
> > 
> > > > Bucau:
> > 
> > > > > > Yes but issue that we don't want to enable them all too.
> > 
> > > > > > So to be concrete what about:
> > 
> > > > > > 
> > 
> > > > > > 1. Enable a smoother configuration (to avoid a custom
> > class)
> > 
> > > > > > 2. Document the custom class case better (at least in a
> > readme)
> > 
> > > > > > 3. Change a bit default to inherit JVM ones
> > 
> > > > > > 
> > 
> > > > > > Think we should make the 3 to consider this case treated
> > (does
> > 
> > > > not
> > 
> > > > > > mean it must be in the same PR but more before next
> > release).
> > 
> > > > > > Wdyt?
> > 
> > > > > > 
> > 
> > > > > > Romain Manni-Bucau
> > 
> > > > > > @rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
> > 
> > > > > > 
> > 
> > > > > > 
> > 
> > > > > > Le mer. 2 déc. 2020 à 13:20, Zowalla, Richard <
> > 
> > > > > > richard.zowa...@hs-heilbronn.de> a écrit :
> > 
> > > > > > > Ah sorry - I misunderstood your comment.
> > 
> > > > > > > 
> > 
> > > > > > > A custom socket factory would indeed fix the problem, but
> > it
> > 
> > > > is
> > 
> > > > > > > rather undocumented.
> > 
> > > > > > > 
> > 
> > > > > > > Nevertheless I think, that the default fallback shouldn't
> > be
> > 
> > > > > > > hardcoded or at least support some more protocols...
> > 
> > > > > > > 
> > 
> > > > > > > Best and thanks for the idea,
> > 
> > > > > > > Richard
> > 
> > > > > > > 
> > 
> > > > > > > Am Mittwoch, den 02.12.2020, 12:16 + schrieb Zowalla,
> > 
> > > > > > > Richard:
> > 
> > > > > > > > Honestly I didn't. I discovered the hard-coded
> > 
> > > > > > > > String[]("TLSv1")
> > 
> > > > > > > > in
> > 
> > > > > > > >

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

2020-12-02 Thread Romain Manni-Bucau

Isnt the property mail..ssl.socketFactory ?

Romain Manni-Bucau
@rmannibucau  |  Blog
 | Old Blog
 | Github  |
LinkedIn  | Book



Le mer. 2 déc. 2020 à 16:09, Zowalla, Richard <
richard.zowa...@hs-heilbronn.de> a écrit :

> Okay. Thanks for the feedback - today, I learned a lot about the
> insides of Javamail :)
>
> I have updated my PR:
>
> - Updated README.txt to contain some documentation about setting a
> custom ssl socket factory
> - Dropped TLSv1 in the fallback protocols (if no custom set properties
> are present)
>
> Thanks,
> Richard
>
>
> Am Mittwoch, den 02.12.2020, 15:29 +0100 schrieb Romain Manni-Bucau:
> > Guess you can just create a readme in the geronimo-javamail root
> > project, will be sufficient as a first step.
> > Abou he default I wonder if dropping tlsv1 cant be good since it will
> > be dropped soon?
> > Otherwise just adding the missing "o" in protocols i'm fine with your
> > proposal.
> >
> > We need to refine if we do a javamail subsite or a generic spec
> > subsite sill :s.
> >
> > Romain Manni-Bucau
> > @rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
> >
> >
> > Le mer. 2 déc. 2020 à 15:26, Zowalla, Richard <
> > richard.zowa...@hs-heilbronn.de> a écrit :
> > > I updated the diff (cf. v2) to (hopefully) address the concerns
> > > raised
> > > (if I understood them correctly).
> > >
> > > If you point me to a location where I can add a README /
> > > documentation,
> > > I would be happy to fill another JIRA with a related PR to document
> > > the
> > > usage of the custom ssl socket factory.
> > >
> > > Am Mittwoch, den 02.12.2020, 13:58 + schrieb Zowalla, Richard:
> > > > Thanks for your thoughs - I think, I get the idea.
> > > >
> > > > Maybe:
> > > >
> > > > - Using "mail.smtp.ssl.protocls" to allow easier configuration
> > > (as
> > > > proposed in the PR) for MailConnection#getConnectedTLSSocket() -
> > > > would
> > > > address 1.
> > > >
> > > > - To address 3. and pre-claim: PR would enable all protocols;
> > > maybe
> > > > address this concern by adding a default fallback pointing to
> > > TLSv1,
> > > > TLSv1.1, TLSv1.2 and TLS v1.3 (if supported) if no custom
> > > > configuration
> > > > via "mail.smtp.ssl.protocls" is present?
> > > >
> > > > - Documentation is always appreciated ;)
> > > >
> > > > Wdyt?
> > > >
> > > > Am Mittwoch, den 02.12.2020, 14:41 +0100 schrieb Romain Manni-
> > > Bucau:
> > > > > Yes but issue that we don't want to enable them all too.
> > > > > So to be concrete what about:
> > > > >
> > > > > 1. Enable a smoother configuration (to avoid a custom class)
> > > > > 2. Document the custom class case better (at least in a readme)
> > > > > 3. Change a bit default to inherit JVM ones
> > > > >
> > > > > Think we should make the 3 to consider this case treated (does
> > > not
> > > > > mean it must be in the same PR but more before next release).
> > > > > Wdyt?
> > > > >
> > > > > Romain Manni-Bucau
> > > > > @rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
> > > > >
> > > > >
> > > > > Le mer. 2 déc. 2020 à 13:20, Zowalla, Richard <
> > > > > richard.zowa...@hs-heilbronn.de> a écrit :
> > > > > > Ah sorry - I misunderstood your comment.
> > > > > >
> > > > > > A custom socket factory would indeed fix the problem, but it
> > > is
> > > > > > rather undocumented.
> > > > > >
> > > > > > Nevertheless I think, that the default fallback shouldn't be
> > > > > > hardcoded or at least support some more protocols...
> > > > > >
> > > > > > Best and thanks for the idea,
> > > > > > Richard
> > > > > >
> > > > > > Am Mittwoch, den 02.12.2020, 12:16 + schrieb Zowalla,
> > > > > > Richard:
> > > > > > > Honestly I didn't. I discovered the hard-coded
> > > > > > > String[]("TLSv1")
> > > > > > > in
> > > > > > > MailConnection#getConnectedTLSSocket(), which is (imho) a
> > > bit
> > > > > > > odd.
> > > > > > >
> > > > > > > Imho, users should either be allowed to specify the enabled
> > > > > > > (and
> > > > > > > supported) protocols or to use the default ones provided by
> > > the
> > > > > > > jdk
> > > > > > > classes :)
> > > > > > >
> > > > > > > This is already done for
> > > MailConnection#getConnectedSSLSocket
> > > > > > > but
> > > > > > > not
> > > > > > > for the TLS handling.
> > > > > > >
> > > > > > >
> > > > > > > Am Mittwoch, den 02.12.2020, 13:09 +0100 schrieb Romain
> > > Manni-
> > > > > > > Bucau:
> > > > > > > > Hi Richard,
> > > > > > > >
> > > > > > > > Did you try a custom socket factory? In such a case you
> > > fully
> > > > > > > > control
> > > > > > > > it.
> > > > > > > >
> > > > > > > > Romain Manni-Bucau
> > > > > > > > @rmannibucau |  Blog | Old Blog | Github | LinkedIn |
> > > Book
> > > > > > > >
> > > > > > > >
> > > > > > > > Le mer. 2

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

2020-12-02 Thread Zowalla, Richard

Okay. Thanks for the feedback - today, I learned a lot about the
insides of Javamail :)

I have updated my PR:

- Updated README.txt to contain some documentation about setting a
custom ssl socket factory
- Dropped TLSv1 in the fallback protocols (if no custom set properties
are present)

Thanks,
Richard


Am Mittwoch, den 02.12.2020, 15:29 +0100 schrieb Romain Manni-Bucau:
> Guess you can just create a readme in the geronimo-javamail root
> project, will be sufficient as a first step.
> Abou he default I wonder if dropping tlsv1 cant be good since it will
> be dropped soon?
> Otherwise just adding the missing "o" in protocols i'm fine with your
> proposal.
> 
> We need to refine if we do a javamail subsite or a generic spec
> subsite sill :s.
> 
> Romain Manni-Bucau
> @rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
> 
> 
> Le mer. 2 déc. 2020 à 15:26, Zowalla, Richard <
> richard.zowa...@hs-heilbronn.de> a écrit :
> > I updated the diff (cf. v2) to (hopefully) address the concerns
> > raised
> > (if I understood them correctly).
> > 
> > If you point me to a location where I can add a README /
> > documentation,
> > I would be happy to fill another JIRA with a related PR to document
> > the
> > usage of the custom ssl socket factory.
> > 
> > Am Mittwoch, den 02.12.2020, 13:58 + schrieb Zowalla, Richard:
> > > Thanks for your thoughs - I think, I get the idea.
> > > 
> > > Maybe:
> > > 
> > > - Using "mail.smtp.ssl.protocls" to allow easier configuration
> > (as
> > > proposed in the PR) for MailConnection#getConnectedTLSSocket() -
> > > would
> > > address 1.
> > > 
> > > - To address 3. and pre-claim: PR would enable all protocols;
> > maybe
> > > address this concern by adding a default fallback pointing to
> > TLSv1,
> > > TLSv1.1, TLSv1.2 and TLS v1.3 (if supported) if no custom
> > > configuration
> > > via "mail.smtp.ssl.protocls" is present?
> > > 
> > > - Documentation is always appreciated ;)
> > > 
> > > Wdyt?
> > > 
> > > Am Mittwoch, den 02.12.2020, 14:41 +0100 schrieb Romain Manni-
> > Bucau:
> > > > Yes but issue that we don't want to enable them all too.
> > > > So to be concrete what about:
> > > > 
> > > > 1. Enable a smoother configuration (to avoid a custom class)
> > > > 2. Document the custom class case better (at least in a readme)
> > > > 3. Change a bit default to inherit JVM ones
> > > > 
> > > > Think we should make the 3 to consider this case treated (does
> > not
> > > > mean it must be in the same PR but more before next release).
> > > > Wdyt?
> > > > 
> > > > Romain Manni-Bucau
> > > > @rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
> > > > 
> > > > 
> > > > Le mer. 2 déc. 2020 à 13:20, Zowalla, Richard <
> > > > richard.zowa...@hs-heilbronn.de> a écrit :
> > > > > Ah sorry - I misunderstood your comment.
> > > > > 
> > > > > A custom socket factory would indeed fix the problem, but it
> > is
> > > > > rather undocumented.
> > > > > 
> > > > > Nevertheless I think, that the default fallback shouldn't be
> > > > > hardcoded or at least support some more protocols...
> > > > > 
> > > > > Best and thanks for the idea,
> > > > > Richard
> > > > > 
> > > > > Am Mittwoch, den 02.12.2020, 12:16 + schrieb Zowalla,
> > > > > Richard:
> > > > > > Honestly I didn't. I discovered the hard-coded
> > > > > > String[]("TLSv1")
> > > > > > in
> > > > > > MailConnection#getConnectedTLSSocket(), which is (imho) a
> > bit
> > > > > > odd.
> > > > > > 
> > > > > > Imho, users should either be allowed to specify the enabled
> > > > > > (and
> > > > > > supported) protocols or to use the default ones provided by
> > the
> > > > > > jdk
> > > > > > classes :)
> > > > > > 
> > > > > > This is already done for
> > MailConnection#getConnectedSSLSocket
> > > > > > but
> > > > > > not
> > > > > > for the TLS handling.
> > > > > > 
> > > > > > 
> > > > > > Am Mittwoch, den 02.12.2020, 13:09 +0100 schrieb Romain
> > Manni-
> > > > > > Bucau:
> > > > > > > Hi Richard,
> > > > > > > 
> > > > > > > Did you try a custom socket factory? In such a case you
> > fully
> > > > > > > control
> > > > > > > it.
> > > > > > > 
> > > > > > > Romain Manni-Bucau
> > > > > > > @rmannibucau |  Blog | Old Blog | Github | LinkedIn |
> > Book
> > > > > > > 
> > > > > > > 
> > > > > > > Le mer. 2 déc. 2020 à 13:01, Zowalla, Richard <
> > > > > > > richard.zowa...@hs-heilbronn.de
> > > > > > > > a écrit :
> > > > > > > > Hi,
> > > > > > > > 
> > > > > > > > I did some debugging and found, that TLSv1 is hard-
> > coded in
> > > > > > > > MailConnection.java in v1.0.0 of Geronimo Java Mail.
> > > > > > > > 
> > > > > > > > I filled a JIRA [1], which contains a patch proposal.
> > > > > > > > 
> > > > > > > > Happy to receive some feedback.
> > > > > > > > 
> > > > > > > > Thanks in advance,
> > > > > > > > Richard
> > > > > > > > 
> > > > > > > > [1] 
> > > > > > > > https://issues.apache.org/jira/browse/GERONIMO-6792
> > > > > > > > 
> > > > > > > > 
> > > > > 
> > > > > -- 
> > > > > 
> > > > >

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

2020-12-02 Thread Zowalla, Richard

Ah ... typo was only in the mail ;)
Thx

Am Mittwoch, den 02.12.2020, 15:38 +0100 schrieb Romain Manni-Bucau:
>  "mail.smtp.ssl.protocls" <- I would have added a "o" between the
> last "c" and "l" ;)
> 
> Romain Manni-Bucau
> @rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
> 
> 
> Le mer. 2 déc. 2020 à 15:37, Zowalla, Richard <
> richard.zowa...@hs-heilbronn.de> a écrit :
> > Thanks. Removing TLSv1 in the fallback is fine for me.
> > Didn't find the missing "o", though :D
> > 
> > I will update the README and include it in my patch proposal (so no
> > need for another issue).
> > 
> > 
> > Am Mittwoch, den 02.12.2020, 15:29 +0100 schrieb Romain Manni-
> > Bucau:
> > > Guess you can just create a readme in the geronimo-javamail root
> > > project, will be sufficient as a first step.
> > > Abou he default I wonder if dropping tlsv1 cant be good since it
> > will
> > > be dropped soon?
> > > Otherwise just adding the missing "o" in protocols i'm fine with
> > your
> > > proposal.
> > > 
> > > We need to refine if we do a javamail subsite or a generic spec
> > > subsite sill :s.
> > > 
> > > Romain Manni-Bucau
> > > @rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
> > > 
> > > 
> > > 
> > > Le mer. 2 déc. 2020 à 15:26, Zowalla, Richard <
> > > richard.zowa...@hs-heilbronn.de> a écrit :
> > > > I updated the diff (cf. v2) to (hopefully) address the concerns
> > > > raised
> > > > (if I understood them correctly).
> > > > 
> > > > If you point me to a location where I can add a README /
> > > > documentation,
> > > > I would be happy to fill another JIRA with a related PR to
> > document
> > > > the
> > > > usage of the custom ssl socket factory.
> > > > 
> > > > Am Mittwoch, den 02.12.2020, 13:58 + schrieb Zowalla,
> > Richard:
> > > > > Thanks for your thoughs - I think, I get the idea.
> > > > > 
> > > > > Maybe:
> > > > > 
> > > > > - Using "mail.smtp.ssl.protocls" to allow easier
> > configuration
> > > > (as
> > > > > proposed in the PR) for
> > MailConnection#getConnectedTLSSocket() -
> > > > > would
> > > > > address 1.
> > > > > 
> > > > > - To address 3. and pre-claim: PR would enable all protocols;
> > > > maybe
> > > > > address this concern by adding a default fallback pointing to
> > > > TLSv1,
> > > > > TLSv1.1, TLSv1.2 and TLS v1.3 (if supported) if no custom
> > > > > configuration
> > > > > via "mail.smtp.ssl.protocls" is present?
> > > > > 
> > > > > - Documentation is always appreciated ;)
> > > > > 
> > > > > Wdyt?
> > > > > 
> > > > > Am Mittwoch, den 02.12.2020, 14:41 +0100 schrieb Romain
> > Manni-
> > > > Bucau:
> > > > > > Yes but issue that we don't want to enable them all too.
> > > > > > So to be concrete what about:
> > > > > > 
> > > > > > 1. Enable a smoother configuration (to avoid a custom
> > class)
> > > > > > 2. Document the custom class case better (at least in a
> > readme)
> > > > > > 3. Change a bit default to inherit JVM ones
> > > > > > 
> > > > > > Think we should make the 3 to consider this case treated
> > (does
> > > > not
> > > > > > mean it must be in the same PR but more before next
> > release).
> > > > > > Wdyt?
> > > > > > 
> > > > > > Romain Manni-Bucau
> > > > > > @rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
> > > > > > 
> > > > > > 
> > > > > > Le mer. 2 déc. 2020 à 13:20, Zowalla, Richard <
> > > > > > richard.zowa...@hs-heilbronn.de> a écrit :
> > > > > > > Ah sorry - I misunderstood your comment.
> > > > > > > 
> > > > > > > A custom socket factory would indeed fix the problem, but
> > it
> > > > is
> > > > > > > rather undocumented.
> > > > > > > 
> > > > > > > Nevertheless I think, that the default fallback shouldn't
> > be
> > > > > > > hardcoded or at least support some more protocols...
> > > > > > > 
> > > > > > > Best and thanks for the idea,
> > > > > > > Richard
> > > > > > > 
> > > > > > > Am Mittwoch, den 02.12.2020, 12:16 + schrieb Zowalla,
> > > > > > > Richard:
> > > > > > > > Honestly I didn't. I discovered the hard-coded
> > > > > > > > String[]("TLSv1")
> > > > > > > > in
> > > > > > > > MailConnection#getConnectedTLSSocket(), which is (imho)
> > a
> > > > bit
> > > > > > > > odd.
> > > > > > > > 
> > > > > > > > Imho, users should either be allowed to specify the
> > enabled
> > > > > > > > (and
> > > > > > > > supported) protocols or to use the default ones
> > provided by
> > > > the
> > > > > > > > jdk
> > > > > > > > classes :)
> > > > > > > > 
> > > > > > > > This is already done for
> > > > MailConnection#getConnectedSSLSocket
> > > > > > > > but
> > > > > > > > not
> > > > > > > > for the TLS handling.
> > > > > > > > 
> > > > > > > > 
> > > > > > > > Am Mittwoch, den 02.12.2020, 13:09 +0100 schrieb Romain
> > > > Manni-
> > > > > > > > Bucau:
> > > > > > > > > Hi Richard,
> > > > > > > > > 
> > > > > > > > > Did you try a custom socket factory? In such a case
> > you
> > > > fully
> > > > > > > > > control
> > > > > > > > > it.
> > > > > > > > > 
> > > > > > > > > Romain Manni-Bucau
>

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

2020-12-02 Thread Romain Manni-Bucau

 "mail.smtp.ssl.protocls" <- I would have added a "o" between the last "c"
and "l" ;)

Romain Manni-Bucau
@rmannibucau  |  Blog
 | Old Blog
 | Github  |
LinkedIn  | Book



Le mer. 2 déc. 2020 à 15:37, Zowalla, Richard <
richard.zowa...@hs-heilbronn.de> a écrit :

> Thanks. Removing TLSv1 in the fallback is fine for me.
> Didn't find the missing "o", though :D
>
> I will update the README and include it in my patch proposal (so no
> need for another issue).
>
>
> Am Mittwoch, den 02.12.2020, 15:29 +0100 schrieb Romain Manni-Bucau:
> > Guess you can just create a readme in the geronimo-javamail root
> > project, will be sufficient as a first step.
> > Abou he default I wonder if dropping tlsv1 cant be good since it will
> > be dropped soon?
> > Otherwise just adding the missing "o" in protocols i'm fine with your
> > proposal.
> >
> > We need to refine if we do a javamail subsite or a generic spec
> > subsite sill :s.
> >
> > Romain Manni-Bucau
> > @rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
> >
> >
> >
> > Le mer. 2 déc. 2020 à 15:26, Zowalla, Richard <
> > richard.zowa...@hs-heilbronn.de> a écrit :
> > > I updated the diff (cf. v2) to (hopefully) address the concerns
> > > raised
> > > (if I understood them correctly).
> > >
> > > If you point me to a location where I can add a README /
> > > documentation,
> > > I would be happy to fill another JIRA with a related PR to document
> > > the
> > > usage of the custom ssl socket factory.
> > >
> > > Am Mittwoch, den 02.12.2020, 13:58 + schrieb Zowalla, Richard:
> > > > Thanks for your thoughs - I think, I get the idea.
> > > >
> > > > Maybe:
> > > >
> > > > - Using "mail.smtp.ssl.protocls" to allow easier configuration
> > > (as
> > > > proposed in the PR) for MailConnection#getConnectedTLSSocket() -
> > > > would
> > > > address 1.
> > > >
> > > > - To address 3. and pre-claim: PR would enable all protocols;
> > > maybe
> > > > address this concern by adding a default fallback pointing to
> > > TLSv1,
> > > > TLSv1.1, TLSv1.2 and TLS v1.3 (if supported) if no custom
> > > > configuration
> > > > via "mail.smtp.ssl.protocls" is present?
> > > >
> > > > - Documentation is always appreciated ;)
> > > >
> > > > Wdyt?
> > > >
> > > > Am Mittwoch, den 02.12.2020, 14:41 +0100 schrieb Romain Manni-
> > > Bucau:
> > > > > Yes but issue that we don't want to enable them all too.
> > > > > So to be concrete what about:
> > > > >
> > > > > 1. Enable a smoother configuration (to avoid a custom class)
> > > > > 2. Document the custom class case better (at least in a readme)
> > > > > 3. Change a bit default to inherit JVM ones
> > > > >
> > > > > Think we should make the 3 to consider this case treated (does
> > > not
> > > > > mean it must be in the same PR but more before next release).
> > > > > Wdyt?
> > > > >
> > > > > Romain Manni-Bucau
> > > > > @rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
> > > > >
> > > > >
> > > > > Le mer. 2 déc. 2020 à 13:20, Zowalla, Richard <
> > > > > richard.zowa...@hs-heilbronn.de> a écrit :
> > > > > > Ah sorry - I misunderstood your comment.
> > > > > >
> > > > > > A custom socket factory would indeed fix the problem, but it
> > > is
> > > > > > rather undocumented.
> > > > > >
> > > > > > Nevertheless I think, that the default fallback shouldn't be
> > > > > > hardcoded or at least support some more protocols...
> > > > > >
> > > > > > Best and thanks for the idea,
> > > > > > Richard
> > > > > >
> > > > > > Am Mittwoch, den 02.12.2020, 12:16 + schrieb Zowalla,
> > > > > > Richard:
> > > > > > > Honestly I didn't. I discovered the hard-coded
> > > > > > > String[]("TLSv1")
> > > > > > > in
> > > > > > > MailConnection#getConnectedTLSSocket(), which is (imho) a
> > > bit
> > > > > > > odd.
> > > > > > >
> > > > > > > Imho, users should either be allowed to specify the enabled
> > > > > > > (and
> > > > > > > supported) protocols or to use the default ones provided by
> > > the
> > > > > > > jdk
> > > > > > > classes :)
> > > > > > >
> > > > > > > This is already done for
> > > MailConnection#getConnectedSSLSocket
> > > > > > > but
> > > > > > > not
> > > > > > > for the TLS handling.
> > > > > > >
> > > > > > >
> > > > > > > Am Mittwoch, den 02.12.2020, 13:09 +0100 schrieb Romain
> > > Manni-
> > > > > > > Bucau:
> > > > > > > > Hi Richard,
> > > > > > > >
> > > > > > > > Did you try a custom socket factory? In such a case you
> > > fully
> > > > > > > > control
> > > > > > > > it.
> > > > > > > >
> > > > > > > > Romain Manni-Bucau
> > > > > > > > @rmannibucau |  Blog | Old Blog | Github | LinkedIn |
> > > Book
> > > > > > > >
> > > > > > > >
> > > > > > > > Le mer. 2 déc. 2020 à 13:01, Zowalla, Richard <
> > > > > > > >

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

2020-12-02 Thread Zowalla, Richard

Thanks. Removing TLSv1 in the fallback is fine for me.
Didn't find the missing "o", though :D

I will update the README and include it in my patch proposal (so no
need for another issue).


Am Mittwoch, den 02.12.2020, 15:29 +0100 schrieb Romain Manni-Bucau:
> Guess you can just create a readme in the geronimo-javamail root
> project, will be sufficient as a first step.
> Abou he default I wonder if dropping tlsv1 cant be good since it will
> be dropped soon?
> Otherwise just adding the missing "o" in protocols i'm fine with your
> proposal.
> 
> We need to refine if we do a javamail subsite or a generic spec
> subsite sill :s.
> 
> Romain Manni-Bucau
> @rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
> 
> 
> 
> Le mer. 2 déc. 2020 à 15:26, Zowalla, Richard <
> richard.zowa...@hs-heilbronn.de> a écrit :
> > I updated the diff (cf. v2) to (hopefully) address the concerns
> > raised
> > (if I understood them correctly).
> > 
> > If you point me to a location where I can add a README /
> > documentation,
> > I would be happy to fill another JIRA with a related PR to document
> > the
> > usage of the custom ssl socket factory.
> > 
> > Am Mittwoch, den 02.12.2020, 13:58 + schrieb Zowalla, Richard:
> > > Thanks for your thoughs - I think, I get the idea.
> > > 
> > > Maybe:
> > > 
> > > - Using "mail.smtp.ssl.protocls" to allow easier configuration
> > (as
> > > proposed in the PR) for MailConnection#getConnectedTLSSocket() -
> > > would
> > > address 1.
> > > 
> > > - To address 3. and pre-claim: PR would enable all protocols;
> > maybe
> > > address this concern by adding a default fallback pointing to
> > TLSv1,
> > > TLSv1.1, TLSv1.2 and TLS v1.3 (if supported) if no custom
> > > configuration
> > > via "mail.smtp.ssl.protocls" is present?
> > > 
> > > - Documentation is always appreciated ;)
> > > 
> > > Wdyt?
> > > 
> > > Am Mittwoch, den 02.12.2020, 14:41 +0100 schrieb Romain Manni-
> > Bucau:
> > > > Yes but issue that we don't want to enable them all too.
> > > > So to be concrete what about:
> > > > 
> > > > 1. Enable a smoother configuration (to avoid a custom class)
> > > > 2. Document the custom class case better (at least in a readme)
> > > > 3. Change a bit default to inherit JVM ones
> > > > 
> > > > Think we should make the 3 to consider this case treated (does
> > not
> > > > mean it must be in the same PR but more before next release).
> > > > Wdyt?
> > > > 
> > > > Romain Manni-Bucau
> > > > @rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
> > > > 
> > > > 
> > > > Le mer. 2 déc. 2020 à 13:20, Zowalla, Richard <
> > > > richard.zowa...@hs-heilbronn.de> a écrit :
> > > > > Ah sorry - I misunderstood your comment.
> > > > > 
> > > > > A custom socket factory would indeed fix the problem, but it
> > is
> > > > > rather undocumented.
> > > > > 
> > > > > Nevertheless I think, that the default fallback shouldn't be
> > > > > hardcoded or at least support some more protocols...
> > > > > 
> > > > > Best and thanks for the idea,
> > > > > Richard
> > > > > 
> > > > > Am Mittwoch, den 02.12.2020, 12:16 + schrieb Zowalla,
> > > > > Richard:
> > > > > > Honestly I didn't. I discovered the hard-coded
> > > > > > String[]("TLSv1")
> > > > > > in
> > > > > > MailConnection#getConnectedTLSSocket(), which is (imho) a
> > bit
> > > > > > odd.
> > > > > > 
> > > > > > Imho, users should either be allowed to specify the enabled
> > > > > > (and
> > > > > > supported) protocols or to use the default ones provided by
> > the
> > > > > > jdk
> > > > > > classes :)
> > > > > > 
> > > > > > This is already done for
> > MailConnection#getConnectedSSLSocket
> > > > > > but
> > > > > > not
> > > > > > for the TLS handling.
> > > > > > 
> > > > > > 
> > > > > > Am Mittwoch, den 02.12.2020, 13:09 +0100 schrieb Romain
> > Manni-
> > > > > > Bucau:
> > > > > > > Hi Richard,
> > > > > > > 
> > > > > > > Did you try a custom socket factory? In such a case you
> > fully
> > > > > > > control
> > > > > > > it.
> > > > > > > 
> > > > > > > Romain Manni-Bucau
> > > > > > > @rmannibucau |  Blog | Old Blog | Github | LinkedIn |
> > Book
> > > > > > > 
> > > > > > > 
> > > > > > > Le mer. 2 déc. 2020 à 13:01, Zowalla, Richard <
> > > > > > > richard.zowa...@hs-heilbronn.de
> > > > > > > > a écrit :
> > > > > > > > Hi,
> > > > > > > > 
> > > > > > > > I did some debugging and found, that TLSv1 is hard-
> > coded in
> > > > > > > > MailConnection.java in v1.0.0 of Geronimo Java Mail.
> > > > > > > > 
> > > > > > > > I filled a JIRA [1], which contains a patch proposal.
> > > > > > > > 
> > > > > > > > Happy to receive some feedback.
> > > > > > > > 
> > > > > > > > Thanks in advance,
> > > > > > > > Richard
> > > > > > > > 
> > > > > > > > [1] 
> > > > > > > > https://issues.apache.org/jira/browse/GERONIMO-6792
> > > > > > > > 
> > > > > > > > 
> > > > > 
> > > > > -- 
> > > > > 
> > > > > Richard Zowalla, M.Sc.
> > > > > Research Associate, PhD Student | Medical Informatics
> > > > > 
> > > > >

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

2020-12-02 Thread Romain Manni-Bucau

Guess you can just create a readme in the geronimo-javamail root project,
will be sufficient as a first step.
Abou he default I wonder if dropping tlsv1 cant be good since it will be
dropped soon?
Otherwise just adding the missing "o" in protocols i'm fine with your
proposal.

We need to refine if we do a javamail subsite or a generic spec subsite
sill :s.

Romain Manni-Bucau
@rmannibucau  |  Blog
 | Old Blog
 | Github  |
LinkedIn  | Book



Le mer. 2 déc. 2020 à 15:26, Zowalla, Richard <
richard.zowa...@hs-heilbronn.de> a écrit :

> I updated the diff (cf. v2) to (hopefully) address the concerns raised
> (if I understood them correctly).
>
> If you point me to a location where I can add a README / documentation,
> I would be happy to fill another JIRA with a related PR to document the
> usage of the custom ssl socket factory.
>
> Am Mittwoch, den 02.12.2020, 13:58 + schrieb Zowalla, Richard:
> > Thanks for your thoughs - I think, I get the idea.
> >
> > Maybe:
> >
> > - Using "mail.smtp.ssl.protocls" to allow easier configuration (as
> > proposed in the PR) for MailConnection#getConnectedTLSSocket() -
> > would
> > address 1.
> >
> > - To address 3. and pre-claim: PR would enable all protocols; maybe
> > address this concern by adding a default fallback pointing to TLSv1,
> > TLSv1.1, TLSv1.2 and TLS v1.3 (if supported) if no custom
> > configuration
> > via "mail.smtp.ssl.protocls" is present?
> >
> > - Documentation is always appreciated ;)
> >
> > Wdyt?
> >
> > Am Mittwoch, den 02.12.2020, 14:41 +0100 schrieb Romain Manni-Bucau:
> > > Yes but issue that we don't want to enable them all too.
> > > So to be concrete what about:
> > >
> > > 1. Enable a smoother configuration (to avoid a custom class)
> > > 2. Document the custom class case better (at least in a readme)
> > > 3. Change a bit default to inherit JVM ones
> > >
> > > Think we should make the 3 to consider this case treated (does not
> > > mean it must be in the same PR but more before next release).
> > > Wdyt?
> > >
> > > Romain Manni-Bucau
> > > @rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
> > >
> > >
> > > Le mer. 2 déc. 2020 à 13:20, Zowalla, Richard <
> > > richard.zowa...@hs-heilbronn.de> a écrit :
> > > > Ah sorry - I misunderstood your comment.
> > > >
> > > > A custom socket factory would indeed fix the problem, but it is
> > > > rather undocumented.
> > > >
> > > > Nevertheless I think, that the default fallback shouldn't be
> > > > hardcoded or at least support some more protocols...
> > > >
> > > > Best and thanks for the idea,
> > > > Richard
> > > >
> > > > Am Mittwoch, den 02.12.2020, 12:16 + schrieb Zowalla,
> > > > Richard:
> > > > > Honestly I didn't. I discovered the hard-coded
> > > > > String[]("TLSv1")
> > > > > in
> > > > > MailConnection#getConnectedTLSSocket(), which is (imho) a bit
> > > > > odd.
> > > > >
> > > > > Imho, users should either be allowed to specify the enabled
> > > > > (and
> > > > > supported) protocols or to use the default ones provided by the
> > > > > jdk
> > > > > classes :)
> > > > >
> > > > > This is already done for MailConnection#getConnectedSSLSocket
> > > > > but
> > > > > not
> > > > > for the TLS handling.
> > > > >
> > > > >
> > > > > Am Mittwoch, den 02.12.2020, 13:09 +0100 schrieb Romain Manni-
> > > > > Bucau:
> > > > > > Hi Richard,
> > > > > >
> > > > > > Did you try a custom socket factory? In such a case you fully
> > > > > > control
> > > > > > it.
> > > > > >
> > > > > > Romain Manni-Bucau
> > > > > > @rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
> > > > > >
> > > > > >
> > > > > > Le mer. 2 déc. 2020 à 13:01, Zowalla, Richard <
> > > > > > richard.zowa...@hs-heilbronn.de
> > > > > > > a écrit :
> > > > > > > Hi,
> > > > > > >
> > > > > > > I did some debugging and found, that TLSv1 is hard-coded in
> > > > > > > MailConnection.java in v1.0.0 of Geronimo Java Mail.
> > > > > > >
> > > > > > > I filled a JIRA [1], which contains a patch proposal.
> > > > > > >
> > > > > > > Happy to receive some feedback.
> > > > > > >
> > > > > > > Thanks in advance,
> > > > > > > Richard
> > > > > > >
> > > > > > > [1]
> > > > > > > https://issues.apache.org/jira/browse/GERONIMO-6792
> > > > > > >
> > > > > > >
> > > >
> > > > --
> > > >
> > > > Richard Zowalla, M.Sc.
> > > > Research Associate, PhD Student | Medical Informatics
> > > >
> > > > Hochschule Heilbronn – University of Applied Sciences
> > > > Max-Planck-Str. 39
> > > > D-74081 Heilbronn
> > > > phone: +49 7131 504 6791
> > > > mail: richard.zowa...@hs-heilbronn.de
> > > > web: https://www.mi.hs-heilbronn.de/
> --
> Richard Zowalla, M.Sc.Research Associate, PhD Student | Medical
> Informatics
> Hochschule Heilbronn – University of Applied

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

2020-12-02 Thread Zowalla, Richard

I updated the diff (cf. v2) to (hopefully) address the concerns raised
(if I understood them correctly).

If you point me to a location where I can add a README / documentation,
I would be happy to fill another JIRA with a related PR to document the
usage of the custom ssl socket factory.

Am Mittwoch, den 02.12.2020, 13:58 + schrieb Zowalla, Richard:
> Thanks for your thoughs - I think, I get the idea.
> 
> Maybe:
> 
> - Using "mail.smtp.ssl.protocls" to allow easier configuration (as
> proposed in the PR) for MailConnection#getConnectedTLSSocket() -
> would
> address 1.
> 
> - To address 3. and pre-claim: PR would enable all protocols; maybe
> address this concern by adding a default fallback pointing to TLSv1,
> TLSv1.1, TLSv1.2 and TLS v1.3 (if supported) if no custom
> configuration
> via "mail.smtp.ssl.protocls" is present?
> 
> - Documentation is always appreciated ;)
> 
> Wdyt?
> 
> Am Mittwoch, den 02.12.2020, 14:41 +0100 schrieb Romain Manni-Bucau:
> > Yes but issue that we don't want to enable them all too.
> > So to be concrete what about:
> > 
> > 1. Enable a smoother configuration (to avoid a custom class)
> > 2. Document the custom class case better (at least in a readme)
> > 3. Change a bit default to inherit JVM ones
> > 
> > Think we should make the 3 to consider this case treated (does not
> > mean it must be in the same PR but more before next release).
> > Wdyt?
> > 
> > Romain Manni-Bucau
> > @rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
> > 
> > 
> > Le mer. 2 déc. 2020 à 13:20, Zowalla, Richard <
> > richard.zowa...@hs-heilbronn.de> a écrit :
> > > Ah sorry - I misunderstood your comment.
> > > 
> > > A custom socket factory would indeed fix the problem, but it is
> > > rather undocumented.
> > > 
> > > Nevertheless I think, that the default fallback shouldn't be
> > > hardcoded or at least support some more protocols...
> > > 
> > > Best and thanks for the idea,
> > > Richard
> > > 
> > > Am Mittwoch, den 02.12.2020, 12:16 + schrieb Zowalla,
> > > Richard:
> > > > Honestly I didn't. I discovered the hard-coded
> > > > String[]("TLSv1")
> > > > in
> > > > MailConnection#getConnectedTLSSocket(), which is (imho) a bit
> > > > odd.
> > > > 
> > > > Imho, users should either be allowed to specify the enabled
> > > > (and
> > > > supported) protocols or to use the default ones provided by the
> > > > jdk
> > > > classes :)
> > > > 
> > > > This is already done for MailConnection#getConnectedSSLSocket
> > > > but
> > > > not
> > > > for the TLS handling.
> > > > 
> > > > 
> > > > Am Mittwoch, den 02.12.2020, 13:09 +0100 schrieb Romain Manni-
> > > > Bucau:
> > > > > Hi Richard,
> > > > > 
> > > > > Did you try a custom socket factory? In such a case you fully
> > > > > control
> > > > > it.
> > > > > 
> > > > > Romain Manni-Bucau
> > > > > @rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
> > > > > 
> > > > > 
> > > > > Le mer. 2 déc. 2020 à 13:01, Zowalla, Richard <
> > > > > richard.zowa...@hs-heilbronn.de
> > > > > > a écrit :
> > > > > > Hi,
> > > > > > 
> > > > > > I did some debugging and found, that TLSv1 is hard-coded in
> > > > > > MailConnection.java in v1.0.0 of Geronimo Java Mail.
> > > > > > 
> > > > > > I filled a JIRA [1], which contains a patch proposal.
> > > > > > 
> > > > > > Happy to receive some feedback.
> > > > > > 
> > > > > > Thanks in advance,
> > > > > > Richard
> > > > > > 
> > > > > > [1] 
> > > > > > https://issues.apache.org/jira/browse/GERONIMO-6792
> > > > > > 
> > > > > > 
> > > 
> > > -- 
> > > 
> > > Richard Zowalla, M.Sc.
> > > Research Associate, PhD Student | Medical Informatics
> > > 
> > > Hochschule Heilbronn – University of Applied Sciences
> > > Max-Planck-Str. 39 
> > > D-74081 Heilbronn 
> > > phone: +49 7131 504 6791
> > > mail: richard.zowa...@hs-heilbronn.de
> > > web: https://www.mi.hs-heilbronn.de/ 
-- 
Richard Zowalla, M.Sc.Research Associate, PhD Student | Medical
Informatics
Hochschule Heilbronn – University of Applied SciencesMax-Planck-Str.
39 D-74081 Heilbronn phone: +49 7131 504 6791mail: richard.zowalla@hs-
heilbronn.deweb: https://www.mi.hs-heilbronn.de/ 


smime.p7s
Description: S/MIME cryptographic signature

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

2020-12-02 Thread Zowalla, Richard

Thanks for your thoughs - I think, I get the idea.

Maybe:

- Using "mail.smtp.ssl.protocls" to allow easier configuration (as
proposed in the PR) for MailConnection#getConnectedTLSSocket() - would
address 1.

- To address 3. and pre-claim: PR would enable all protocols; maybe
address this concern by adding a default fallback pointing to TLSv1,
TLSv1.1, TLSv1.2 and TLS v1.3 (if supported) if no custom configuration
via "mail.smtp.ssl.protocls" is present?

- Documentation is always appreciated ;)

Wdyt?

Am Mittwoch, den 02.12.2020, 14:41 +0100 schrieb Romain Manni-Bucau:
> Yes but issue that we don't want to enable them all too.
> So to be concrete what about:
> 
> 1. Enable a smoother configuration (to avoid a custom class)
> 2. Document the custom class case better (at least in a readme)
> 3. Change a bit default to inherit JVM ones
> 
> Think we should make the 3 to consider this case treated (does not
> mean it must be in the same PR but more before next release).
> Wdyt?
> 
> Romain Manni-Bucau
> @rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
> 
> 
> Le mer. 2 déc. 2020 à 13:20, Zowalla, Richard <
> richard.zowa...@hs-heilbronn.de> a écrit :
> > Ah sorry - I misunderstood your comment.
> > 
> > A custom socket factory would indeed fix the problem, but it is
> > rather undocumented.
> > 
> > Nevertheless I think, that the default fallback shouldn't be
> > hardcoded or at least support some more protocols...
> > 
> > Best and thanks for the idea,
> > Richard
> > 
> > Am Mittwoch, den 02.12.2020, 12:16 + schrieb Zowalla, Richard:
> > > Honestly I didn't. I discovered the hard-coded String[]("TLSv1")
> > > in
> > > MailConnection#getConnectedTLSSocket(), which is (imho) a bit
> > > odd.
> > > 
> > > Imho, users should either be allowed to specify the enabled (and
> > > supported) protocols or to use the default ones provided by the
> > > jdk
> > > classes :)
> > > 
> > > This is already done for MailConnection#getConnectedSSLSocket but
> > > not
> > > for the TLS handling.
> > > 
> > > 
> > > Am Mittwoch, den 02.12.2020, 13:09 +0100 schrieb Romain Manni-
> > > Bucau:
> > > > Hi Richard,
> > > > 
> > > > Did you try a custom socket factory? In such a case you fully
> > > > control
> > > > it.
> > > > 
> > > > Romain Manni-Bucau
> > > > @rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
> > > > 
> > > > 
> > > > Le mer. 2 déc. 2020 à 13:01, Zowalla, Richard <
> > > > richard.zowa...@hs-heilbronn.de
> > > > > a écrit :
> > > > > Hi,
> > > > > 
> > > > > I did some debugging and found, that TLSv1 is hard-coded in
> > > > > MailConnection.java in v1.0.0 of Geronimo Java Mail.
> > > > > 
> > > > > I filled a JIRA [1], which contains a patch proposal.
> > > > > 
> > > > > Happy to receive some feedback.
> > > > > 
> > > > > Thanks in advance,
> > > > > Richard
> > > > > 
> > > > > [1] 
> > > > > https://issues.apache.org/jira/browse/GERONIMO-6792
> > > > > 
> > > > > 
> > 
> > -- 
> > 
> > Richard Zowalla, M.Sc.
> > Research Associate, PhD Student | Medical Informatics
> > 
> > Hochschule Heilbronn – University of Applied Sciences
> > Max-Planck-Str. 39 
> > D-74081 Heilbronn 
> > phone: +49 7131 504 6791
> > mail: richard.zowa...@hs-heilbronn.de
> > web: https://www.mi.hs-heilbronn.de/ 
-- 
Richard Zowalla, M.Sc.
Research Associate, PhD Student | Medical Informatics

Hochschule Heilbronn – University of Applied Sciences
Max-Planck-Str. 39 
D-74081 Heilbronn 
phone: +49 7131 504 6791
mail: richard.zowa...@hs-heilbronn.de
web: https://www.mi.hs-heilbronn.de/ 


smime.p7s
Description: S/MIME cryptographic signature

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

2020-12-02 Thread Romain Manni-Bucau

Yes but issue that we don't want to enable them all too.
So to be concrete what about:

1. Enable a smoother configuration (to avoid a custom class)
2. Document the custom class case better (at least in a readme)
3. Change a bit default to inherit JVM ones

Think we should make the 3 to consider this case treated (does not mean it
must be in the same PR but more before next release).
Wdyt?

Romain Manni-Bucau
@rmannibucau  |  Blog
 | Old Blog
 | Github  |
LinkedIn  | Book



Le mer. 2 déc. 2020 à 13:20, Zowalla, Richard <
richard.zowa...@hs-heilbronn.de> a écrit :

> Ah sorry - I misunderstood your comment.
>
> A custom socket factory would indeed fix the problem, but it is rather
> undocumented.
>
> Nevertheless I think, that the default fallback shouldn't be hardcoded or
> at least support some more protocols...
>
> Best and thanks for the idea,
> Richard
>
> Am Mittwoch, den 02.12.2020, 12:16 + schrieb Zowalla, Richard:
>
> Honestly I didn't. I discovered the hard-coded String[]("TLSv1") in
>
> MailConnection#getConnectedTLSSocket(), which is (imho) a bit odd.
>
>
> Imho, users should either be allowed to specify the enabled (and
>
> supported) protocols or to use the default ones provided by the jdk
>
> classes :)
>
>
> This is already done for MailConnection#getConnectedSSLSocket but not
>
> for the TLS handling.
>
>
>
> Am Mittwoch, den 02.12.2020, 13:09 +0100 schrieb Romain Manni-Bucau:
>
> Hi Richard,
>
>
> Did you try a custom socket factory? In such a case you fully control
>
> it.
>
>
> Romain Manni-Bucau
>
> @rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
>
>
>
> Le mer. 2 déc. 2020 à 13:01, Zowalla, Richard <
>
> richard.zowa...@hs-heilbronn.de
>
> > a écrit :
>
> Hi,
>
>
> I did some debugging and found, that TLSv1 is hard-coded in
>
> MailConnection.java in v1.0.0 of Geronimo Java Mail.
>
>
> I filled a JIRA [1], which contains a patch proposal.
>
>
> Happy to receive some feedback.
>
>
> Thanks in advance,
>
> Richard
>
>
> [1]
>
> https://issues.apache.org/jira/browse/GERONIMO-6792
>
>
>
> --
>
> Richard Zowalla, M.Sc.
> Research Associate, PhD Student | Medical Informatics
>
> Hochschule Heilbronn – University of Applied Sciences
> Max-Planck-Str. 39
> D-74081 Heilbronn
> phone: +49 7131 504 6791
> mail: richard.zowa...@hs-heilbronn.de
> web: https://www.mi.hs-heilbronn.de/
>

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

2020-12-02 Thread Zowalla, Richard

Ah sorry - I misunderstood your comment.
A custom socket factory would indeed fix the problem, but it is rather
undocumented.
Nevertheless I think, that the default fallback shouldn't be hardcoded
or at least support some more protocols...
Best and thanks for the idea,Richard
Am Mittwoch, den 02.12.2020, 12:16 + schrieb Zowalla, Richard:
> Honestly I didn't. I discovered the hard-coded String[]("TLSv1")
> inMailConnection#getConnectedTLSSocket(), which is (imho) a bit odd.
> Imho, users should either be allowed to specify the enabled
> (andsupported) protocols or to use the default ones provided by the
> jdkclasses :)
> This is already done for MailConnection#getConnectedSSLSocket but
> notfor the TLS handling.
> 
> Am Mittwoch, den 02.12.2020, 13:09 +0100 schrieb Romain Manni-Bucau:
> > Hi Richard,
> > Did you try a custom socket factory? In such a case you fully
> > controlit.
> > Romain Manni-Bucau@rmannibucau |  Blog | Old Blog | Github |
> > LinkedIn | Book
> > 
> > Le mer. 2 déc. 2020 à 13:01, Zowalla, Richard <
> > richard.zowa...@hs-heilbronn.de> a écrit :
> > > Hi,
> > > I did some debugging and found, that TLSv1 is hard-coded
> > > inMailConnection.java in v1.0.0 of Geronimo Java Mail.
> > > I filled a JIRA [1], which contains a patch proposal.
> > > Happy to receive some feedback.
> > > Thanks in advance,Richard
> > > [1] https://issues.apache.org/jira/browse/GERONIMO-6792
> > > 
-- 
Richard Zowalla, M.Sc.Research Associate, PhD Student | Medical Informatics
Hochschule Heilbronn – University of Applied SciencesMax-Planck-Str. 39 D-74081 
Heilbronn phone: +49 7131 504 6791mail: richard.zowalla@hs-heilbronn.deweb: 
https://www.mi.hs-heilbronn.de/ 


smime.p7s
Description: S/MIME cryptographic signature

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

2020-12-02 Thread Zowalla, Richard

Honestly I didn't. I discovered the hard-coded String[]("TLSv1") in
MailConnection#getConnectedTLSSocket(), which is (imho) a bit odd.

Imho, users should either be allowed to specify the enabled (and
supported) protocols or to use the default ones provided by the jdk
classes :)

This is already done for MailConnection#getConnectedSSLSocket but not
for the TLS handling.


Am Mittwoch, den 02.12.2020, 13:09 +0100 schrieb Romain Manni-Bucau:
> Hi Richard,
> 
> Did you try a custom socket factory? In such a case you fully control
> it.
> 
> Romain Manni-Bucau
> @rmannibucau |  Blog | Old Blog | Github | LinkedIn | Book
> 
> 
> Le mer. 2 déc. 2020 à 13:01, Zowalla, Richard <
> richard.zowa...@hs-heilbronn.de> a écrit :
> > Hi,
> > 
> > I did some debugging and found, that TLSv1 is hard-coded in
> > MailConnection.java in v1.0.0 of Geronimo Java Mail.
> > 
> > I filled a JIRA [1], which contains a patch proposal.
> > 
> > Happy to receive some feedback.
> > 
> > Thanks in advance,
> > Richard
> > 
> > [1] https://issues.apache.org/jira/browse/GERONIMO-6792
> > 


smime.p7s
Description: S/MIME cryptographic signature

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

2020-12-02 Thread Romain Manni-Bucau

Hi Richard,

Did you try a custom socket factory? In such a case you fully control it.

Romain Manni-Bucau
@rmannibucau  |  Blog
 | Old Blog
 | Github  |
LinkedIn  | Book



Le mer. 2 déc. 2020 à 13:01, Zowalla, Richard <
richard.zowa...@hs-heilbronn.de> a écrit :

> Hi,
>
> I did some debugging and found, that TLSv1 is hard-coded in
> MailConnection.java in v1.0.0 of Geronimo Java Mail.
>
> I filled a JIRA [1], which contains a patch proposal.
>
> Happy to receive some feedback.
>
> Thanks in advance,
> Richard
>
> [1] https://issues.apache.org/jira/browse/GERONIMO-6792
>
>

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

2020-12-02 Thread Zowalla, Richard

Hi,

I did some debugging and found, that TLSv1 is hard-coded in
MailConnection.java in v1.0.0 of Geronimo Java Mail.

I filled a JIRA [1], which contains a patch proposal.

Happy to receive some feedback.

Thanks in advance,
Richard

[1] https://issues.apache.org/jira/browse/GERONIMO-6792



smime.p7s
Description: S/MIME cryptographic signature

Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

2020-12-01 Thread Romain Manni-Bucau

Hi,

it depends the (ssl) socketfactory and also the jvm which all do not
support tls 1.3 rather than javamail I think

Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> |  Blog
<https://rmannibucau.metawerx.net/> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
<https://www.packtpub.com/application-development/java-ee-8-high-performance>


Le mar. 1 déc. 2020 à 12:17, Jean-Louis Monteiro 
a écrit :

> If someone has an idea
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>
>
> -- Forwarded message -
> From: Jean-Louis Monteiro 
> Date: Tue, Dec 1, 2020 at 12:16 PM
> Subject: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3
> Support?
> To: 
>
>
> Hey Richard,
>
> Thanks for the detailed email.
> I have contributed recently to Geronimo Mail 1.6 but to be honest I can't
> answer out of my head.
>
> Cesar also worked on it, so he might be able to help.
> Other than that, I'm CC'ing Geronimo mailing list. Maybe Romain and others
> can help there.
>
> Jean-Louis
>
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>
>
> On Tue, Dec 1, 2020 at 10:55 AM Zowalla, Richard <
> richard.zowa...@hs-heilbronn.de> wrote:
>
>> Hi all,
>>
>> I have updated our TomEE instances to 8.0.5 as (Geronimo) Java Mail 1.6
>> replaced the rather outdated (Geronimo) Java Mail 1.4 in this release.
>>
>> Up to now, we were using
>>
>> 
>> com.sun.mail
>> jakarta.mail
>> 1.6.5
>> provided
>> 
>>
>> as our mail server is configured to only support TLS 1.2 or TLS 1.3.
>> These protocols were not supported by Java Mail 1.4.
>>
>> I recently tried to migrate to the provided Geronimo Java Mail 1.6
>> hoping for better protocol support, but I get java.net.SocketException
>> due to a javax.net.ssl.SSLHandshakeException with "Received fatal
>> alert: protocol_version".
>>
>> The full stack trace and related debug output can be found here:
>> https://gist.github.com/rzo1/64c23a1d9be752eadf36cf3e1c719ffa)
>>
>> The mail session is configured as follows:
>>
>> 
>> 
>> 
>> mail.debug=true
>> mail.transport.protocol=smtp
>> mail.smtp.starttls.enable=true
>> mail.smtp.starttls.required=true
>> mail.smtp.ssl.enable=false
>> mail.smtp.host=mail.mail-server.com
>> mail.smtp.port=587
>> mail.smtp.auth=true
>> mail.smtp.user=d...@mail-server.com
>> 
>> password=fancyPassword
>> 
>> 
>>
>> Question:
>>
>> - Does anybody have an idea how to get Geronimo Java Mail 1.6 talking
>> via TLS 1.2 or TLS 1.3 to our mail server?
>>
>> - Is TLS 1.2 / TLS 1.3 supported in Geronimo Java Mail 1.6?
>>
>> If this is the wrong list, please give me an advice which list would be
>> a better fit.
>>
>> Thanks in advance,
>> Richard Z
>>
>>
>>
>>

Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

Re: Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

Re: Geronimo Java Mail 1.6 in TomEE 8.0.5 -> TLS 1.2 / 1.3 Support?

20 matches

Site Navigation

Mail list logo

Footer information