I have problem with my app for reading mails over IMAP.
App reads multiple imap accounts. App can connect to all servers except one that require to use TLS1.2 or TLS1.3.
I have this code:
System.out.println("SSLContext getProtocols(): " + String.join(" ", SSLContext.getDefault().getSupportedSSLParameters().getProtocols()));
Properties props = new Properties();
props.put("mail.imap.auth", "true");
props.put("mail.imap.ssl.enable", "true");
props.put("mail.imap.starttls.enable", "false");
props.put("jdk.tls.client.protocols", "TLSv1.2 TLSv1.3");
props.put("mail.imap.ssl.protocols", "TLSv1.2 TLSv1.3");
Session session = Session.getDefaultInstance(props);
Store store = session.getStore("imaps");
store.connect(mailConf.getImapServer(), mailConf.getImapServerPort(), mailConf.getImapUser(), mailConf.getImapPass());
Folder inbox = store.getFolder(mailConf.getImapMailFolder());
inbox.open(Folder.READ_ONLY);
and run app using:
java -Djdk.tls.client.protocols="TLSv1.2,TLSv1.3"
-Ddeployment.security.SSLv2Hello=false
-Ddeployment.security.SSLv3=false
-Ddeployment.security.TLSv1=false
-Ddeployment.security.TLSv1.1=false
-Ddeployment.security.TLSv1.2=true
-Ddeployment.security.TLSv1.3=true
-jar myApp.jar
For IMAP server, that require TLS1.2+ I see this output:
SSLContext getProtocols(): TLSv1.3 TLSv1.2 TLSv1.1 TLSv1 SSLv3 SSLv2Hello
Jan 29 11:41:19 myhost myapp[22101]: 2020-01-29 11:41:19 ERROR e.v.MyAppApplication$$EnhancerBySpringCGLIB$$8bb5321c:68 - Imap readMail() error: Received fatal alert: protocol_version
I’m using Java 11:
# java --version
openjdk 11.0.4 2019-07-16
OpenJDK Runtime Environment (build 11.0.4+11-post-Debian-1deb10u1)
OpenJDK 64-Bit Server VM (build 11.0.4+11-post-Debian-1deb10u1, mixed mode, sharing)
What I do bad? How can I force TLS1.2+ for imap connection?
Thanks.
3
Answers
I find solution: upgrade Spring Boot from 2.1.1.RELEASE to 2.2.4.RELEASE.
You can remove the
jdk.tls.client.protocols
property from the JavaMail properties since JavaMail is definitely not interpreting that property. Setting it on the command line as a System property is fine since the JDK will interpret it.I didn’t see any documentation about the
deployment.security.*
properties, but what I did see suggests they’re only relevant if you’re using the Java Plug-In or Java WebStart, which you aren’t. So you probably don’t need to set those properties.The error message you’re getting suggests that your app is using Spring, although I don’t see it in the JavaMail code you posted. Perhaps Spring is somehow interposing on the socket setup code and controlling the security configuration?
You can try the standalone JavaMail msgshow.java sample program just to prove that you can make a connection using that JDK version with no special security configuration. If that fails, the problem is in the JDK security configuration.
For SMTP:
mail.smtps.ssl.protocols=TLSv1.2
For IMAP:
mail.imaps.ssl.protocols=TLSv1.2
For POP3:
mail.pop3s.ssl.protocols=TLSv1.2