mguessan / davmail

DavMail POP/IMAP/SMTP/Caldav/Carddav/LDAP Exchange and Office 365 Gateway - Synced with main subversion repository at
http://davmail.sourceforge.net
GNU General Public License v2.0
583 stars 86 forks source link

Support TLS 1.3? #375

Open esabol opened 1 day ago

esabol commented 1 day ago

@ifrh wrote:

Okay it seems to me, that DavMail do not support TLS 1.3 - or is there some way to activate TLS 1.3 via "propertie"-file?

2024-12-04 23:13:48,607 DEBUG [CaldavConnection-54261] org.apache.http.conn.ssl.SSLConnectionSocketFactory  - Enabled protocols: [TLSv1, TLSv1.1, TLSv1.2]
[...]
2024-12-04 23:13:48,752 DEBUG [CaldavConnection-54261] org.apache.http.client.protocol.RequestAddCookies  - CookieSpec selected: default
2024-12-04 23:13:48,752 DEBUG [CaldavConnection-54261] org.apache.http.client.protocol.RequestAuthCache  - Auth cache not set in the context
2024-12-04 23:13:48,752 DEBUG [CaldavConnection-54261] org.apache.http.impl.conn.PoolingHttpClientConnectionManager  - Connection request: [route: {s}->https://OWA-SERVER.DOMAIN.TLD:443][total kept alive: 0; route allocated: 0 of 5; total allocated: 0 of 20]
2024-12-04 23:13:48,752 DEBUG [CaldavConnection-54261] org.apache.http.impl.conn.PoolingHttpClientConnectionManager  - Connection leased: [id: 1][route: {s}->https://OWA-SERVER.DOMAIN.TLD:443][total kept alive: 0; route allocated: 1 of 5; total allocated: 1 of 20]
2024-12-04 23:13:48,752 DEBUG [CaldavConnection-54261] org.apache.http.impl.execchain.MainClientExec  - Opening connection {s}->https://OWA-SERVER.DOMAIN.TLD:443
2024-12-04 23:13:48,752 DEBUG [CaldavConnection-54261] org.apache.http.impl.conn.DefaultHttpClientConnectionOperator  - Connecting to OWA-SERVER.DOMAIN.TLD/SOME-IP-ADDRESS:443
2024-12-04 23:13:48,752 DEBUG [CaldavConnection-54261] org.apache.http.conn.ssl.SSLConnectionSocketFactory  - Connecting socket to OWA-SERVER.DOMAIN.TLD/SOME-IP-ADDRESS:443 with timeout 10000
2024-12-04 23:13:48,814 DEBUG [CaldavConnection-54261] davmail.http.DavGatewaySSLSocketFactory  - createSocket OWA-SERVER.DOMAIN.TLD 443
2024-12-04 23:13:48,814 DEBUG [CaldavConnection-54261] org.apache.http.conn.ssl.SSLConnectionSocketFactory  - Enabled protocols: [TLSv1, TLSv1.1, TLSv1.2]
2024-12-04 23:13:48,824 DEBUG [CaldavConnection-54261] org.apache.http.conn.ssl.SSLConnectionSocketFactory  - Enabled cipher suites:[TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
2024-12-04 23:13:48,824 DEBUG [CaldavConnection-54261] org.apache.http.conn.ssl.SSLConnectionSocketFactory  - Starting handshake
2024-12-04 23:13:48,897 DEBUG [CaldavConnection-54261] org.apache.http.impl.conn.DefaultManagedHttpClientConnection  - http-outgoing-2: Shutdown connection
2024-12-04 23:13:48,948 DEBUG [CaldavConnection-54261] org.apache.http.impl.execchain.MainClientExec  - Connection discarded
2024-12-04 23:13:48,948 DEBUG [CaldavConnection-54261] org.apache.http.impl.conn.PoolingHttpClientConnectionManager  - Connection released: [id: 1][route: {s}->https://OWA-SERVER.DOMAIN.TLD:443][total kept alive: 0; route allocated: 0 of 5; total allocated: 0 of 20]
2024-12-04 23:13:48,948 DEBUG [CaldavConnection-54261] org.apache.http.impl.conn.PoolingHttpClientConnectionManager  - Connection manager is shutting down
2024-12-04 23:13:48,957 DEBUG [CaldavConnection-54261] org.apache.http.impl.conn.PoolingHttpClientConnectionManager  - Connection manager shut down
2024-12-04 23:13:48,957 ERROR [CaldavConnection-54261] davmail.exchange.ExchangeSession  - Exchange login exception: Received fatal alert: handshake_failure
2024-12-04 23:13:48,969 ERROR [CaldavConnection-54261] davmail  - Exchange login exception: Received fatal alert: handshake_failure
davmail.exception.DavMailException: Exchange login exception: Received fatal alert: handshake_failure
    at davmail.exchange.auth.ExchangeFormAuthenticator.authenticate(ExchangeFormAuthenticator.java:238)
    at davmail.exchange.ExchangeSessionFactory.getInstance(ExchangeSessionFactory.java:208)
    at davmail.exchange.ExchangeSessionFactory.getInstance(ExchangeSessionFactory.java:97)
    at davmail.caldav.CaldavConnection.run(CaldavConnection.java:178)

Originally posted by @ifrh in https://github.com/mguessan/davmail/issues/374#issuecomment-2518698578

ifrh commented 1 day ago

Found some information

I think davmail-6.2.2-3546-windows-standalone\jre\conf\security\java.security could somehow modified... But did not get it, what to change.

esabol commented 1 day ago

I don't know if it would help or not, but maybe just add , "TLSv1.3" to the SUPPORTED_PROTOCOLS array here: https://github.com/mguessan/davmail/blob/2938a7bc37c280fe072c235914bb8e644d9a18d6/src/java/davmail/http/HttpClientAdapter.java#L75

ifrh commented 1 day ago

perhaps in intermediate time one can use STUNNEL (https://www.stunnel.org/docs.html) to "translate" TLSv1.2 to TLSv1.3


Thunderbird <=> DavMail <=> STUNNEL <=> OWA
           CalDav     TLSv1.2    TLSv1.3
        localhost   localhost    localhost   <=> server
ifrh commented 23 hours ago

Thunderbird <=> DavMail <=> STUNNEL <=> OWA

Using STUNNEL as adapter between DavMail and OWA helps around the TLS problem, but an other DavMail exception raises


2024-12-05 19:25:30,242 DEBUG [CaldavConnection-55779] org.apache.http.wire  - http-outgoing-91 << "HTTP/1.1 403 Forbidden[\r][\n]"
2024-12-05 19:25:30,242 DEBUG [CaldavConnection-55779] org.apache.http.wire  - http-outgoing-91 << "Date: Thu, 05 Dec 2024 18:25:31 GMT[\r][\n]"
2024-12-05 19:25:30,243 DEBUG [CaldavConnection-55779] org.apache.http.wire  - http-outgoing-91 << "X-Frame-Options: SAMEORIGIN[\r][\n]"
2024-12-05 19:25:30,243 DEBUG [CaldavConnection-55779] org.apache.http.wire  - http-outgoing-91 << "X-XSS-Protection: 1; mode=block[\r][\n]"
2024-12-05 19:25:30,243 DEBUG [CaldavConnection-55779] org.apache.http.wire  - http-outgoing-91 << "X-Content-Type-Options: nosniff[\r][\n]"
2024-12-05 19:25:30,243 DEBUG [CaldavConnection-55779] org.apache.http.wire  - http-outgoing-91 << "Connection: close[\r][\n]"
2024-12-05 19:25:30,244 DEBUG [CaldavConnection-55779] org.apache.http.wire  - http-outgoing-91 << "Content-Length: 75[\r][\n]"
2024-12-05 19:25:30,244 DEBUG [CaldavConnection-55779] org.apache.http.wire  - http-outgoing-91 << "Content-Type: text/html[\r][\n]"
2024-12-05 19:25:30,244 DEBUG [CaldavConnection-55779] org.apache.http.wire  - http-outgoing-91 << "[\r][\n]"
2024-12-05 19:25:30,244 DEBUG [CaldavConnection-55779] org.apache.http.wire  - http-outgoing-91 << "<html><head><title>403 Forbidden</title></head><body>Access denied</body>[\r][\n]"
2024-12-05 19:25:30,244 DEBUG [CaldavConnection-55779] org.apache.http.headers  - http-outgoing-91 << HTTP/1.1 403 Forbidden
2024-12-05 19:25:30,244 DEBUG [CaldavConnection-55779] org.apache.http.headers  - http-outgoing-91 << Date: Thu, 05 Dec 2024 18:25:31 GMT
2024-12-05 19:25:30,244 DEBUG [CaldavConnection-55779] org.apache.http.headers  - http-outgoing-91 << X-Frame-Options: SAMEORIGIN
2024-12-05 19:25:30,244 DEBUG [CaldavConnection-55779] org.apache.http.headers  - http-outgoing-91 << X-XSS-Protection: 1; mode=block
2024-12-05 19:25:30,244 DEBUG [CaldavConnection-55779] org.apache.http.headers  - http-outgoing-91 << X-Content-Type-Options: nosniff
2024-12-05 19:25:30,245 DEBUG [CaldavConnection-55779] org.apache.http.headers  - http-outgoing-91 << Connection: close
2024-12-05 19:25:30,245 DEBUG [CaldavConnection-55779] org.apache.http.headers  - http-outgoing-91 << Content-Length: 75
2024-12-05 19:25:30,245 DEBUG [CaldavConnection-55779] org.apache.http.headers  - http-outgoing-91 << Content-Type: text/html
2024-12-05 19:25:30,245 DEBUG [CaldavConnection-55779] org.apache.http.impl.conn.DefaultManagedHttpClientConnection  - http-outgoing-91: Close connection
2024-12-05 19:25:30,246 DEBUG [CaldavConnection-55779] org.apache.http.impl.execchain.MainClientExec  - Connection discarded
2024-12-05 19:25:30,246 DEBUG [CaldavConnection-55779] org.apache.http.impl.conn.PoolingHttpClientConnectionManager  - Connection released: [id: 89][route: {s}->https://localhost:1143][total kept alive: 0; route allocated: 0 of 5; total allocated: 0 of 20]
2024-12-05 19:25:30,246 DEBUG [CaldavConnection-55779] org.apache.http.impl.conn.PoolingHttpClientConnectionManager  - Connection manager is shutting down
2024-12-05 19:25:30,246 DEBUG [CaldavConnection-55779] org.apache.http.impl.conn.PoolingHttpClientConnectionManager  - Connection manager shut down
2024-12-05 19:25:30,246 ERROR [CaldavConnection-55779] davmail.exchange.ExchangeSession  - Exchange login exception: Forbidden
2024-12-05 19:25:30,247 ERROR [CaldavConnection-55779] davmail  - Exchange login exception: Forbidden
davmail.exception.DavMailException: Exchange login exception: Forbidden
    at davmail.exchange.auth.ExchangeFormAuthenticator.authenticate(ExchangeFormAuthenticator.java:238)
    at davmail.exchange.ExchangeSessionFactory.getInstance(ExchangeSessionFactory.java:208)
    at davmail.exchange.ExchangeSessionFactory.getInstance(ExchangeSessionFactory.java:97)
    at davmail.caldav.CaldavConnection.run(CaldavConnection.java:178)
esabol commented 20 hours ago

Using STUNNEL as adapter between DavMail and OWA helps around the TLS problem, but an other DavMail exception raises

This is not relevant to this issue.