mguessan / davmail

DavMail POP/IMAP/SMTP/Caldav/Carddav/LDAP Exchange and Office 365 Gateway - Synced with main subversion repository at
http://davmail.sourceforge.net
GNU General Public License v2.0
583 stars 86 forks source link

Support TLS 1.3? #375

Open esabol opened 4 days ago

esabol commented 4 days ago

@ifrh wrote:

Okay it seems to me, that DavMail do not support TLS 1.3 - or is there some way to activate TLS 1.3 via "propertie"-file?

2024-12-04 23:13:48,607 DEBUG [CaldavConnection-54261] org.apache.http.conn.ssl.SSLConnectionSocketFactory  - Enabled protocols: [TLSv1, TLSv1.1, TLSv1.2]
[...]
2024-12-04 23:13:48,752 DEBUG [CaldavConnection-54261] org.apache.http.client.protocol.RequestAddCookies  - CookieSpec selected: default
2024-12-04 23:13:48,752 DEBUG [CaldavConnection-54261] org.apache.http.client.protocol.RequestAuthCache  - Auth cache not set in the context
2024-12-04 23:13:48,752 DEBUG [CaldavConnection-54261] org.apache.http.impl.conn.PoolingHttpClientConnectionManager  - Connection request: [route: {s}->https://OWA-SERVER.DOMAIN.TLD:443][total kept alive: 0; route allocated: 0 of 5; total allocated: 0 of 20]
2024-12-04 23:13:48,752 DEBUG [CaldavConnection-54261] org.apache.http.impl.conn.PoolingHttpClientConnectionManager  - Connection leased: [id: 1][route: {s}->https://OWA-SERVER.DOMAIN.TLD:443][total kept alive: 0; route allocated: 1 of 5; total allocated: 1 of 20]
2024-12-04 23:13:48,752 DEBUG [CaldavConnection-54261] org.apache.http.impl.execchain.MainClientExec  - Opening connection {s}->https://OWA-SERVER.DOMAIN.TLD:443
2024-12-04 23:13:48,752 DEBUG [CaldavConnection-54261] org.apache.http.impl.conn.DefaultHttpClientConnectionOperator  - Connecting to OWA-SERVER.DOMAIN.TLD/SOME-IP-ADDRESS:443
2024-12-04 23:13:48,752 DEBUG [CaldavConnection-54261] org.apache.http.conn.ssl.SSLConnectionSocketFactory  - Connecting socket to OWA-SERVER.DOMAIN.TLD/SOME-IP-ADDRESS:443 with timeout 10000
2024-12-04 23:13:48,814 DEBUG [CaldavConnection-54261] davmail.http.DavGatewaySSLSocketFactory  - createSocket OWA-SERVER.DOMAIN.TLD 443
2024-12-04 23:13:48,814 DEBUG [CaldavConnection-54261] org.apache.http.conn.ssl.SSLConnectionSocketFactory  - Enabled protocols: [TLSv1, TLSv1.1, TLSv1.2]
2024-12-04 23:13:48,824 DEBUG [CaldavConnection-54261] org.apache.http.conn.ssl.SSLConnectionSocketFactory  - Enabled cipher suites:[TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
2024-12-04 23:13:48,824 DEBUG [CaldavConnection-54261] org.apache.http.conn.ssl.SSLConnectionSocketFactory  - Starting handshake
2024-12-04 23:13:48,897 DEBUG [CaldavConnection-54261] org.apache.http.impl.conn.DefaultManagedHttpClientConnection  - http-outgoing-2: Shutdown connection
2024-12-04 23:13:48,948 DEBUG [CaldavConnection-54261] org.apache.http.impl.execchain.MainClientExec  - Connection discarded
2024-12-04 23:13:48,948 DEBUG [CaldavConnection-54261] org.apache.http.impl.conn.PoolingHttpClientConnectionManager  - Connection released: [id: 1][route: {s}->https://OWA-SERVER.DOMAIN.TLD:443][total kept alive: 0; route allocated: 0 of 5; total allocated: 0 of 20]
2024-12-04 23:13:48,948 DEBUG [CaldavConnection-54261] org.apache.http.impl.conn.PoolingHttpClientConnectionManager  - Connection manager is shutting down
2024-12-04 23:13:48,957 DEBUG [CaldavConnection-54261] org.apache.http.impl.conn.PoolingHttpClientConnectionManager  - Connection manager shut down
2024-12-04 23:13:48,957 ERROR [CaldavConnection-54261] davmail.exchange.ExchangeSession  - Exchange login exception: Received fatal alert: handshake_failure
2024-12-04 23:13:48,969 ERROR [CaldavConnection-54261] davmail  - Exchange login exception: Received fatal alert: handshake_failure
davmail.exception.DavMailException: Exchange login exception: Received fatal alert: handshake_failure
    at davmail.exchange.auth.ExchangeFormAuthenticator.authenticate(ExchangeFormAuthenticator.java:238)
    at davmail.exchange.ExchangeSessionFactory.getInstance(ExchangeSessionFactory.java:208)
    at davmail.exchange.ExchangeSessionFactory.getInstance(ExchangeSessionFactory.java:97)
    at davmail.caldav.CaldavConnection.run(CaldavConnection.java:178)

Originally posted by @ifrh in https://github.com/mguessan/davmail/issues/374#issuecomment-2518698578

ifrh commented 4 days ago

Found some information

I think davmail-6.2.2-3546-windows-standalone\jre\conf\security\java.security could somehow modified... But did not get it, what to change.

esabol commented 4 days ago

I don't know if it would help or not, but maybe just add , "TLSv1.3" to the SUPPORTED_PROTOCOLS array here: https://github.com/mguessan/davmail/blob/2938a7bc37c280fe072c235914bb8e644d9a18d6/src/java/davmail/http/HttpClientAdapter.java#L75

ifrh commented 4 days ago

perhaps in intermediate time one can use STUNNEL (https://www.stunnel.org/docs.html) to "translate" TLSv1.2 to TLSv1.3


Thunderbird <=> DavMail <=> STUNNEL <=> OWA
           CalDav     TLSv1.2    TLSv1.3
        localhost   localhost    localhost   <=> server
ifrh commented 3 days ago

Thunderbird <=> DavMail <=> STUNNEL <=> OWA

Using STUNNEL as adapter between DavMail and OWA helps around the TLS problem, but an other DavMail exception raises


2024-12-05 19:25:30,242 DEBUG [CaldavConnection-55779] org.apache.http.wire  - http-outgoing-91 << "HTTP/1.1 403 Forbidden[\r][\n]"
2024-12-05 19:25:30,242 DEBUG [CaldavConnection-55779] org.apache.http.wire  - http-outgoing-91 << "Date: Thu, 05 Dec 2024 18:25:31 GMT[\r][\n]"
2024-12-05 19:25:30,243 DEBUG [CaldavConnection-55779] org.apache.http.wire  - http-outgoing-91 << "X-Frame-Options: SAMEORIGIN[\r][\n]"
2024-12-05 19:25:30,243 DEBUG [CaldavConnection-55779] org.apache.http.wire  - http-outgoing-91 << "X-XSS-Protection: 1; mode=block[\r][\n]"
2024-12-05 19:25:30,243 DEBUG [CaldavConnection-55779] org.apache.http.wire  - http-outgoing-91 << "X-Content-Type-Options: nosniff[\r][\n]"
2024-12-05 19:25:30,243 DEBUG [CaldavConnection-55779] org.apache.http.wire  - http-outgoing-91 << "Connection: close[\r][\n]"
2024-12-05 19:25:30,244 DEBUG [CaldavConnection-55779] org.apache.http.wire  - http-outgoing-91 << "Content-Length: 75[\r][\n]"
2024-12-05 19:25:30,244 DEBUG [CaldavConnection-55779] org.apache.http.wire  - http-outgoing-91 << "Content-Type: text/html[\r][\n]"
2024-12-05 19:25:30,244 DEBUG [CaldavConnection-55779] org.apache.http.wire  - http-outgoing-91 << "[\r][\n]"
2024-12-05 19:25:30,244 DEBUG [CaldavConnection-55779] org.apache.http.wire  - http-outgoing-91 << "<html><head><title>403 Forbidden</title></head><body>Access denied</body>[\r][\n]"
2024-12-05 19:25:30,244 DEBUG [CaldavConnection-55779] org.apache.http.headers  - http-outgoing-91 << HTTP/1.1 403 Forbidden
2024-12-05 19:25:30,244 DEBUG [CaldavConnection-55779] org.apache.http.headers  - http-outgoing-91 << Date: Thu, 05 Dec 2024 18:25:31 GMT
2024-12-05 19:25:30,244 DEBUG [CaldavConnection-55779] org.apache.http.headers  - http-outgoing-91 << X-Frame-Options: SAMEORIGIN
2024-12-05 19:25:30,244 DEBUG [CaldavConnection-55779] org.apache.http.headers  - http-outgoing-91 << X-XSS-Protection: 1; mode=block
2024-12-05 19:25:30,244 DEBUG [CaldavConnection-55779] org.apache.http.headers  - http-outgoing-91 << X-Content-Type-Options: nosniff
2024-12-05 19:25:30,245 DEBUG [CaldavConnection-55779] org.apache.http.headers  - http-outgoing-91 << Connection: close
2024-12-05 19:25:30,245 DEBUG [CaldavConnection-55779] org.apache.http.headers  - http-outgoing-91 << Content-Length: 75
2024-12-05 19:25:30,245 DEBUG [CaldavConnection-55779] org.apache.http.headers  - http-outgoing-91 << Content-Type: text/html
2024-12-05 19:25:30,245 DEBUG [CaldavConnection-55779] org.apache.http.impl.conn.DefaultManagedHttpClientConnection  - http-outgoing-91: Close connection
2024-12-05 19:25:30,246 DEBUG [CaldavConnection-55779] org.apache.http.impl.execchain.MainClientExec  - Connection discarded
2024-12-05 19:25:30,246 DEBUG [CaldavConnection-55779] org.apache.http.impl.conn.PoolingHttpClientConnectionManager  - Connection released: [id: 89][route: {s}->https://localhost:1143][total kept alive: 0; route allocated: 0 of 5; total allocated: 0 of 20]
2024-12-05 19:25:30,246 DEBUG [CaldavConnection-55779] org.apache.http.impl.conn.PoolingHttpClientConnectionManager  - Connection manager is shutting down
2024-12-05 19:25:30,246 DEBUG [CaldavConnection-55779] org.apache.http.impl.conn.PoolingHttpClientConnectionManager  - Connection manager shut down
2024-12-05 19:25:30,246 ERROR [CaldavConnection-55779] davmail.exchange.ExchangeSession  - Exchange login exception: Forbidden
2024-12-05 19:25:30,247 ERROR [CaldavConnection-55779] davmail  - Exchange login exception: Forbidden
davmail.exception.DavMailException: Exchange login exception: Forbidden
    at davmail.exchange.auth.ExchangeFormAuthenticator.authenticate(ExchangeFormAuthenticator.java:238)
    at davmail.exchange.ExchangeSessionFactory.getInstance(ExchangeSessionFactory.java:208)
    at davmail.exchange.ExchangeSessionFactory.getInstance(ExchangeSessionFactory.java:97)
    at davmail.caldav.CaldavConnection.run(CaldavConnection.java:178)
esabol commented 3 days ago

Using STUNNEL as adapter between DavMail and OWA helps around the TLS problem, but an other DavMail exception raises

This is not relevant to this issue.