Closed devops-cora closed 1 year ago
Gavster4
commented
1 year ago Look in your Go Server jre conf/security folder and see if you have a java.security. On the jdk.tls.disabledAlgorithms line remove the TLS algorithms and restart and see if that works for you. The other thing is that the plugin as-is looks at both the port and the TLS selection so make sure you're using 587 if you want STARTTLS.
chadlwilson
commented
1 year ago I generally wouldn't recommend enabling old (insecure) TLS algorithms, but all the same it'd be good to understand what GoCD and/or Java version people were using when they got this error.
Gavster4
commented
1 year ago I was on GoCD 22.3 running the packaged java which I think is 17 but I tried jdk 17-20 with 17-19 giving the same results and v20 failing to run my pipeline. I also tried seeing if I could repackage it with the newer version of javax mail but failed, possibly due to inexperience with java projects though. I have a server requiring STARTTLS on port 25 so I ended up modifying a copy of the plugin to ignore the port and always do STARTTLS but nothing would fix the ssl error except giving it more options. I had also tried, on jdk 19, to add in the new expanded security files from java with no change there either. I'd definitely prefer that it was running over tls 1.2 but I was running out of things to try. As a note, the email notifications from inside GoCD itself work fine on the same setup, it was just this plugin that wouldn't send out.
klinux
commented
1 year ago Hello @chadlwilson we are using the last version gocd 22.3.0 official container docker, and we are receiving this error.
chadlwilson
commented
1 year ago Interesting, this plugin uses an ancient javamail version from 2013, so I am not surprised it doesn't work. GoCD server has used far, far newer versions for a long time. Enabling old protocols on the Java level probably allows the mail library here to use it because it doesn't support newer versions.
Let me have a go at updating it.
chadlwilson
commented
1 year ago Hi folks, can one of you have a go with https://github.com/gocd-contrib/email-notifier/releases/tag/v1.2.0-169
If it works fine for you I'll release it more officially (edit: now done). Comparison to the last officially released version is https://github.com/gocd-contrib/email-notifier/compare/v1.1.0-154...v1.2.0-169
klinux
commented
1 year ago The same error here:
gocd-server-645cbcd9ff-wnp4z gocd-server jvm 1 | jakarta.mail.MessagingException: Could not connect to SMTP host: smtp.gmail.com, port: 587
gocd-server-645cbcd9ff-wnp4z gocd-server jvm 1 | at org.eclipse.angus.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:2260)
gocd-server-645cbcd9ff-wnp4z gocd-server jvm 1 | at org.eclipse.angus.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:753)
gocd-server-645cbcd9ff-wnp4z gocd-server jvm 1 | at jakarta.mail.Service.connect(Service.java:342)
gocd-server-645cbcd9ff-wnp4z gocd-server jvm 1 | at com.tw.go.plugin.SMTPMailSender.send(SMTPMailSender.java:55)
gocd-server-645cbcd9ff-wnp4z gocd-server jvm 1 | at com.tw.go.plugin.EmailNotificationPluginImpl.handleStageNotification(EmailNotificationPluginImpl.java:155)
gocd-server-645cbcd9ff-wnp4z gocd-server jvm 1 | at com.tw.go.plugin.EmailNotificationPluginImpl.handle(EmailNotificationPluginImpl.java:91)
gocd-server-645cbcd9ff-wnp4z gocd-server jvm 1 | at com.thoughtworks.go.plugin.infra.DefaultPluginManager.lambda$submitTo$0(DefaultPluginManager.java:134)
gocd-server-645cbcd9ff-wnp4z gocd-server jvm 1 | at com.thoughtworks.go.plugin.infra.FelixGoPluginOSGiFramework.executeActionOnTheService(FelixGoPluginOSGiFramework.java:208)
gocd-server-645cbcd9ff-wnp4z gocd-server jvm 1 | at com.thoughtworks.go.plugin.infra.FelixGoPluginOSGiFramework.doOn(FelixGoPluginOSGiFramework.java:164)
gocd-server-645cbcd9ff-wnp4z gocd-server jvm 1 | at com.thoughtworks.go.plugin.infra.DefaultPluginManager.submitTo(DefaultPluginManager.java:131)
gocd-server-645cbcd9ff-wnp4z gocd-server jvm 1 | at com.thoughtworks.go.plugin.access.PluginRequestHelper.submitRequest(PluginRequestHelper.java:49)
gocd-server-645cbcd9ff-wnp4z gocd-server jvm 1 | at com.thoughtworks.go.plugin.access.notification.NotificationExtension.notify(NotificationExtension.java:83)
gocd-server-645cbcd9ff-wnp4z gocd-server jvm 1 | at com.thoughtworks.go.server.messaging.notifications.PluginNotificationMessageListener.onMessage(PluginNotificationMessageListener.java:44)
gocd-server-645cbcd9ff-wnp4z gocd-server jvm 1 | at com.thoughtworks.go.server.messaging.notifications.PluginNotificationMessageListener.onMessage(PluginNotificationMessageListener.java:29)
gocd-server-645cbcd9ff-wnp4z gocd-server jvm 1 | at com.thoughtworks.go.server.messaging.activemq.JMSMessageListenerAdapter.runImpl(JMSMessageListenerAdapter.java:83)
gocd-server-645cbcd9ff-wnp4z gocd-server jvm 1 | at com.thoughtworks.go.server.messaging.activemq.JMSMessageListenerAdapter.run(JMSMessageListenerAdapter.java:63)
gocd-server-645cbcd9ff-wnp4z gocd-server jvm 1 | at java.base/java.lang.Thread.run(Unknown Source)
gocd-server-645cbcd9ff-wnp4z gocd-server jvm 1 | Caused by: javax.net.ssl.SSLException: Unsupported or unrecognized SSL message
gocd-server-645cbcd9ff-wnp4z gocd-server jvm 1 | at java.base/sun.security.ssl.SSLSocketInputRecord.handleUnknownRecord(Unknown Source)
gocd-server-645cbcd9ff-wnp4z gocd-server jvm 1 | at java.base/sun.security.ssl.SSLSocketInputRecord.decode(Unknown Source)
gocd-server-645cbcd9ff-wnp4z gocd-server jvm 1 | at java.base/sun.security.ssl.SSLTransport.decode(Unknown Source)
gocd-server-645cbcd9ff-wnp4z gocd-server jvm 1 | at java.base/sun.security.ssl.SSLSocketImpl.decode(Unknown Source)
gocd-server-645cbcd9ff-wnp4z gocd-server jvm 1 | at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)
gocd-server-645cbcd9ff-wnp4z gocd-server jvm 1 | at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
gocd-server-645cbcd9ff-wnp4z gocd-server jvm 1 | at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
gocd-server-645cbcd9ff-wnp4z gocd-server jvm 1 | at org.eclipse.angus.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:628)
gocd-server-645cbcd9ff-wnp4z gocd-server jvm 1 | at org.eclipse.angus.mail.util.SocketFetcher.createSocket(SocketFetcher.java:402)
gocd-server-645cbcd9ff-wnp4z gocd-server jvm 1 | at org.eclipse.angus.mail.util.SocketFetcher.getSocket(SocketFetcher.java:236)
gocd-server-645cbcd9ff-wnp4z gocd-server jvm 1 | at org.eclipse.angus.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:2208)
gocd-server-645cbcd9ff-wnp4z gocd-server jvm 1 | ... 16 common frames omitted
Here the plugin installation
gocd-server $ curl --silent --location --fail --retry 3 https://github.com/gocd-contrib/email-notifier/releases/download/v1.2.0-169-exp/email-notifier-1.2.0-169.jar --output /godata/plugins/external/email-notifier.jar
chadlwilson
commented
1 year ago @klinux That's a different error to the stack trace in the original message (javax.net.ssl.SSLException: Unsupported or unrecognized SSL message vs javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)). Has that changed before + after plugin versions for you?
Can you try changing it to port 465? I believe on gmail if using STARTTLS you might have to use a different port, which may also be related to the original reporter's error.
https://developers.google.com/gmail/imap/imap-smtp
Also, do you set any Java system properties at GoCD level related to mail.*?
I'm not 100% sure whether Java Mail/Eclipse Angus Mail supports both STARTTLS and plain TLS for SMTP and whether we are configuring it correctly, however the plugin configuration after my change is identical to the GoCD Server. So if the GoCD server can send mail, the plugin should be able to as well (with the same configuration).
Gavster4
commented
1 year ago The plugin assumes tls as smtps vs starttls if it's port 25 (i don't remember if it's explicit or implicit). My customization was to set the smtps bits to false and always use starttls if tls is selected. It's a bit of a story but I couldn't get another port turned up for the smtp server I have to use for this case.
I'll try to get the new plugin version tested. I suspect the message above is the plugin trying smtps against a starttls connection. It was one that I ran into partway through and see if it resolves my need for the old protocols
On Thu, Mar 30, 2023, 9:58 PM Chad Wilson @.***> wrote:
@klinux https://github.com/klinux That's a different error to the stack trace in the original message (javax.net.ssl.SSLException: Unsupported or unrecognized SSL message vs javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)). Has that changed before + after plugin versions for you?
Can you try changing it to port 465? I believe on gmail if using STARTTLS you might have to use a different port, which may also be related to the original reporter's error.
https://developers.google.com/gmail/imap/imap-smtp
I'm not 100% sure whether Java Mail/Eclipse Angus Mail supports both STARTTLS and plain TLS for SMTP and whether we are configuring it correctly, however the plugin configuration after my change is identical to the GoCD Server. So if the GoCD server can send mail, the plugin should be able to as well (with the same configuration).
— Reply to this email directly, view it on GitHub https://github.com/gocd-contrib/email-notifier/issues/82#issuecomment-1491221785, or unsubscribe https://github.com/notifications/unsubscribe-auth/AC6Z2S6JWD2OV32VMI7T35DW6ZB4VANCNFSM6AAAAAATDT4YBE . You are receiving this because you commented.Message ID: @.***>
chadlwilson
commented
1 year ago @Gavster4 I don't believe the plugin assumes anything regarding ports - if you check the "tls" box in plugin settings, it previously (1.1.x) enabled both smtps protocol and STARTTLS - which is a bit weird, and maybe is what you were struggling with as you sound like you want STARTTLS only. I'm not sure if the logic within JavaMail allows "try to connect with TLS, if that fails, try plaintext and upgrade with STARTTLS".
I'm not sure why the plugin logic was this way, as it doesn't make sense to me to enable both smtps protocol and STARTTLS, and it's different to the GoCD server, but maybe GoCD server used to be like that historically.
Thanks for your message though, I realised that this is actually different to GoCD server (STARTTLS requires a system property opt-in there). I also accidentally reverted this behavior in my change above. I am wondering whether I should restore it or just bump the version and note a breaking change.
With the code right now, enabling "TLS" in options will do smtps and try and create a TLS socket out of the box. If you want to do STARTTLS you would leave TLS disabled in the plugin settings and probably need to set a system property on GoCD server like -Dmail.smtp.starttls.enable=true. This is how GoCD server works.
1.2.0-169 logic:
https://github.com/gocd-contrib/email-notifier/blob/27eb607db9ba643c140ccb8a2bd699ebbafc64b5/src/main/java/com/tw/go/plugin/SMTPMailSender.java#L83-L91
I can't exactly explain @klinux 's error right now and there are likely a few different things going on here. Probably need to do some empirical testing against Gmail at some point to understand in detail since the reports so far don't include complete sets of config, GoCD server version, plugin version, java version etc.
chadlwilson
commented
1 year ago Here's the behaviour of the plugin against Gmail with 1.2 code
| GMail Port | Plugin "TLS" setting | StartTLS System property | 1.1.x behaviour |
1.2.x behaviour |
|---|---|---|---|---|
| 25 | false | not set | ❌ 530 5.7.0 Must issue a STARTTLS command first |
❌ 530 5.7.0 Must issue a STARTTLS command first |
| 25 | false | set | ❌ N/A | ✅ OK w/ upgrade via STARTTTLS |
| 25 | true | not set | ❌No appropriate protocol (protocol is disabled or cipher suites are inappropriate) |
❌ Unsupported or unrecognized SSL message |
| 25 | true | set | ❌ N/A | ❌ Unsupported or unrecognized SSL message |
| 465 | false | not set | ❌ Could not connect to SMTP host: smtp.gmail.com, port: 465, response: -1 [EOF] |
❌ Got bad greeting from SMTP host: smtp.gmail.com, port: 465, response: [EOF] |
| 465 | false | set | ❌ N/A | ❌ Got bad greeting from SMTP host: smtp.gmail.com, port: 465, response: [EOF] |
| 465 | true | not set | ❌ No appropriate protocol (protocol is disabled or cipher suites are inappropriate) |
✅ OK w/ regular TLS |
| 465 | true | set | ❌ N/A | ✅ OK w/ regular TLS (STARTTLS irrelevant) |
| 587 | false | not set | ❌ 530 5.7.0 Must issue a STARTTLS command first |
❌ 530 5.7.0 Must issue a STARTTLS command first |
| 587 | false | set | ❌ N/A | ✅ OK w/ upgrade via STARTTTLS |
| 587 | true | not set | ❌ No appropriate protocol (protocol is disabled or cipher suites are inappropriate) |
❌ Unsupported or unrecognized SSL message |
| 587 | true | set | ❌ N/A | ❌ Unsupported or unrecognized SSL message |
In conclusion
25 or 587 appear to behave identically for these purposes. STARTTLS is both supported and required.
1.1 plugin there is no way to make this work due to the way it is implemented.1.2 plugin you can set system property -Dmail.smtp.starttls.enable=true and it will work. Identical behaviour to GoCD server 465 requires proper transport layer TLS. Enable "TLS" on the plugin and use this port (recommended in 2023)
1.1 plugin there is no way to make this work due to cipher suite problems. No idea what these are or what fixed them, and not planning to dig further into a 10 year old library version :-)1.2 plugin enable TLS on plugin settings and it will work just fine.So
-Dmail.smtp.starttls.enable=true and you should be good without code changes.Gavster4
commented
1 year ago @chadlwilson Reading the table above helped (and reading your specific message) . I was assuming I needed to specify TLS in the plugin as separate mail settings from the rest of the running server. Dropping this version corrected the issue with the java.security file needing to be changed and setting the plugin TLS to no in the defaulted it back to the STARTTLS that the rest of my GoCD system was using on 25. I'll still need to recompile to put servernames in the plugin email messages but this definitely fixed both messages/issues for me.
Looks like everyone should be golden now if they are using STARTTLS by leaving TLS as no on the plugin and setting "-Dmail.smtp.starttls.enable=true" in their wrapper config.
Thanks!
We are receiving this error to connect with smtp.gmail.com:
No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
There something wrong in my configuration?
Thank you