On 10/09/2013 12:26 PM, Carl Erberg wrote:
> Hi,
>
> in the user guide to commons email
> http://commons.apache.org/proper/commons-email/userguide.html
>
> I found the rather surprising statement:
> "When using a secured transport (STARTTLS or SSL) you can force validating
> the server's certificate by calling Email.setSSLCheckServerIdentity(true).
> Having said that this does not seem to work on any of my test servers
> (GMAIL, GMX)."
>
> I can confirm that my code also does not complain when I test it against a
> server with a self signed certificate. setSSLCeckServerIdentity not working
> means that commons email is vulnerable to MiTM attacks.
>
> Is there a fix for this? Am I doing something wrong? Some misunderstanding?
> Any workaround? Is the user guide wrong?
>
> [ I would not discuss such a security issue on a public mailing list, if it
> wasn't already disclosed in the user guide ]
Hi Carl,
I have tested sending emails to GMAIL and a local postfix installation
with a self-signed certificate.
For the purpose of debugging the ssl handshake, I enabled the following
debug switch: System.setProperty("javax.net.debug", "all");
Results:
* GMAIL: SSL and TLS work fine, the gmail server certificate is
reported as trusted:
Found trusted certificate:
[
[
Version: V3
Subject: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
....
* LOCAL:
- without adding my local certificate to my trustStore, I get the
following exception:
Caused by: sun.security.validator.ValidatorException: PKIX path
building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)
at
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)
at sun.security.validator.Validator.validate(Validator.java:203)
at
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
at
com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:841)
... 45 more
Caused by:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
at
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
at
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
at
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
... 50 more
- after adding the certificate to my trustStore, I can successfully
connect to the server and send emails
So it seems to work fine for me. The problem stated in the userguide may
relate to a time where the root CA (Equifax Secure Certificate
Authority) of the gmail certificate was not yet in the default
trustStore (it is now btw).
Best regards,
Thomas
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
