Tls parameters in imap/smpt sessions

jakartaee / mail-api

Jakarta Mail Specification project

https://jakartaee.github.io/mail-api

Other

240 stars 100 forks source link

Tls parameters in imap/smpt sessions #724

Open synim503 opened 3 months ago

synim503 commented 3 months ago

Our mail server accepts requests with a certain set of cipher suites, extensions, EllipticCurves,EllipticCurvePointFormats. And if cipher suites is set by the parameter mail.smtp.ssl.ciphersuites (at least in java mail), it is not clear with the other parameters. And I tried to change ciphersuites in jakarta.mail, it didn't work.

String cipherSuites = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,...";
props.put("mail.smtp.ssl.ciphersuites", cipherSuites);

And so the question:

How in imap/smpt connection do I replace:

cipher suites
extensions
EllipticCurves
EllipticCurvePointFormats

jmehrens commented 3 months ago

Re-test with system property mail.socket.debug=true (not a session property). As in java -Dmail.socket.debug=true -jar my.app This will output information on what ciphers were set based on your session properties. You should see log lines in system out that start with SSL enabled protocols after and SSL enabled ciphers after that will reflect the state of the sslsocket after reading your properties.

There is also system property java.security.debug. Which has multiple options for debugging.

Start with verifying what you have set in the mail properties for ciphers is actually being set on the ssl socket.

synim503 commented 3 months ago

@jmehrens The problem was that some encryption methods were already obsolete and considered insecure, and were disabled at the jvm level. But the problem remained with the extensions, EllipticCurves, EllipticCurvePointFormats. Is there any possibility to change them? Or because of the complexity of this procedure, is it more rational to change the acceptable tls fingerprints accepted by the mail server?

jmehrens commented 3 months ago

Mail just sits on top of Java Secure Socket Extension (JSSE) so keep in mind that most of the configuration you are looking for is in the JSSE reference guilde from the FAQ link I provided. It takes some digging through that guide but, it usually has an answer. Basically, if you configure JSSE, mail will just use it.

We do enable some configuration of sockets via mail properties (cipher and protocol) but for anything more complex you would use the mail.smtp.ssl.socketFactory or mail.smtp.ssl.socketFactory.class to control all aspects of configuring a socket.

Bouncycastle has some pluggable security providers too.