JDK-8272443 : SMTP doesn't work since JDK 11.0.11 by default because of disabled TLS protocols
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 11
  • Priority: P4
  • Status: Closed
  • Resolution: External
  • Submitted: 2021-08-12
  • Updated: 2021-08-27
  • Resolved: 2021-08-27
Related Reports
Relates :  
JDK-8202343 - Disable TLS 1.0 and 1.1
Description
ADDITIONAL SYSTEM INFORMATION :
OS: Ubuntu 18.04 (not checked in other systems).
JDK: OpenJDK 11.0.11 (the feature worked in 11.0.6).
SMTP server: smtp.office365.com

A DESCRIPTION OF THE PROBLEM :
In JDK 11.0.11, TLS 1.0 and 1.1 were disabled by default. However, such default configuration leads to an exception on attempt to send an email by SMTP.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Install OpenJDK 11.0.11 under Ubuntu 18.04, keep default configuration.
sudo add-apt-repository ppa:openjdk-r/ppa
sudo apt update
sudo apt install -y openjdk-11-jdk
sudo update-alternatives --config java

2. Download the attached code sample, substitute constant values for some real values you know.
3. (negative scenario) Run as is.
4. (positive scenario) Run the same code with line 16 uncommented.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Both scenarios succeed, emails get sent.
ACTUAL -
Positive scenario succeeds, negative one fails with an exception:

Exception in thread "main" javax.mail.MessagingException: Could not convert socket to TLS;
  nested exception is:
	javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
	at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1907)
	at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:666)
	at javax.mail.Service.connect(Service.java:317)
	at javax.mail.Service.connect(Service.java:176)
	at javax.mail.Service.connect(Service.java:125)
	at javax.mail.Transport.send0(Transport.java:194)
	at javax.mail.Transport.send(Transport.java:124)
	at com.cassantec.email.Test.main(Test.java:34)
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
	at java.base/sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:170)
	at java.base/sun.security.ssl.ClientHandshakeContext.<init>(ClientHandshakeContext.java:98)
	at java.base/sun.security.ssl.TransportContext.kickstart(TransportContext.java:221)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:433)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411)
	at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:549)
	at com.sun.mail.util.SocketFetcher.startTLS(SocketFetcher.java:486)
	at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:1902)
	... 7 more


---------- BEGIN SOURCE ----------
package com.emailtest;

import javax.mail.*;
import javax.mail.internet.InternetAddress;
import javax.mail.internet.MimeMessage;
import java.util.Properties;

public class Test {

    private static final String EMAIL_FROM = "<email_from>";
    private static final String EMAIL_TO = "<email_to>";
    private static final String PASSWORD = "<password>";

    public static void main(String[] args) throws Exception {
        var smtpProperties = new Properties();
        //smtpProperties.put("mail.smtp.ssl.protocols", "TLSv1.3 TLSv1.2");
        smtpProperties.put("mail.smtp.host", "smtp.office365.com");
        smtpProperties.put("mail.smtp.socketFactory.port", "587");
        smtpProperties.put("mail.smtp.socketFactory.fallback", "false");
        smtpProperties.put("mail.smtp.auth", "true");
        smtpProperties.put("mail.smtp.port", "587");
        smtpProperties.put("mail.smtp.starttls.enable", "true");
        var session = Session.getInstance(smtpProperties, new Authenticator() {
            @Override
            protected PasswordAuthentication getPasswordAuthentication() {
                return new PasswordAuthentication(EMAIL_FROM, PASSWORD);
            }
        });
        MimeMessage message = new MimeMessage(session);
        message.setFrom(new InternetAddress(EMAIL_FROM));
        message.addRecipient(Message.RecipientType.TO, new InternetAddress(EMAIL_TO));
        message.setText("Hello!");
        message.setSubject("Hello");
        Transport.send(message);
    }
}

---------- END SOURCE ----------

CUSTOMER SUBMITTED WORKAROUND :
Uncomment line 16, i.e. enable TLS 1.2 and 1.3 explicitly.

FREQUENCY : always
Comments
Closed as external because the problem is not in JVM.
27-08-2021
Additional information from the submitter: Works like a charm with both 1.6.1 and 1.6.2. In this case, I think that it is enough to mention in https://www.oracle.com/java/technologies/javase/11all-relnotes.html#R11_0_11 that the change is breaking for javax.mail:mail library, and the switch to com.sun.mail:java.mail is required.
24-08-2021
Suggested the submitter using the following version of javax.mail.jar com.sun.mail:javax.mail:1.6.1 https://mvnrepository.com/artifact/com.sun.mail/javax.mail/1.6.1
24-08-2021
The additional information from the submiiter: I’ve attached the output of the positive and negative scenarios. In the positive scenario, mail.smtp.ssl.protocols property is explicitly set to "TLSv1.3 TLSv1.2". Setting javax.net.debug in the code didn’t change anything, so I had to use java -D key to set it. We use mail-1.4.7.jar (https://mvnrepository.com/artifact/javax.mail/mail/1.4.7). Maven pom.xml attached. If I try to upgrade to https://mvnrepository.com/artifact/javax.mail/javax.mail-api/1.6.2, the code doesn’t work as is.
24-08-2021
Ask the submitter add following properties and get the output: smtpProperties.setProperty("javax.net.debug", "ssl:handshake:verbose"); smtpProperties.setProperty("mail.debug","true"); Provide the mail.jar/javax.mail.jar versions
16-08-2021
The observations on Windows 10: JDK 11.0.12: Passed, Received the emails from hotmail with/without TLS 1.2 and 1.3 enabled.
13-08-2021
Requested an account for testing from the submitter.
13-08-2021