-
1. Re: TODO: TLS and JBossSX integration
kabirkhan Mar 26, 2004 3:44 AM (in response to acoliver)Hi,
Has anybody been able to use the TLS stuff? I get the following error, and am not sure what could be going on! If you have any pointers they would be most appreciated. I want to get it working as is, before attempting JBossSX integration.
Cheers,
Kab
17:34:05,205 DEBUG [CmdSTARTTLS] STARTTLS command handler called 17:34:05,205 ERROR [STDERR] java.net.SocketException: Default SSL context init f
ailed: null
17:34:05,215 ERROR [STDERR] at javax.net.ssl.DefaultSSLSocketFactory.createS
ocket(DashoA6275)
17:34:05,215 ERROR [STDERR] at org.jboss.mail.smtp.handlers.CmdSTARTTLS.hand
leRequest(CmdSTARTTLS.java:52)
17:34:05,215 ERROR [STDERR] at org.jboss.mail.smtp.SMTPProtocolInstance.hand
leRequest(SMTPProtocolInstance.java:151)
17:34:05,215 ERROR [STDERR] at org.jboss.mail.ServerThread.run(ServerThread.
java:221)
17:34:05,215 ERROR [STDERR] at java.lang.Thread.run(Thread.java:534)
17:34:05,215 ERROR [SMTPProtocolInstance] Handle IO Error 17:34:05,215 ERROR [STDERR] java.lang.NullPointerException
17:34:05,215 ERROR [STDERR] at org.jboss.mail.ServerThread.run(ServerThread.
java:223)
17:34:05,215 ERROR [STDERR] at java.lang.Thread.run(Thread.java:534)
17:34:05,215 DEBUG [ServerThreadPool] freeing org.jboss.mail.ServerThread@50078e -
2. Re: TODO: TLS and JBossSX integration
kabirkhan Mar 26, 2004 8:34 AM (in response to acoliver)A few observations, please help me make sense of them if you can. I have not made any changes to the security settings of my jdk 1.4.2 that should affect this.
When running the TestCmdSTARTTLS unit test it seems to work, and with a bit of logging in place the new socket actually gets created. Why does the call to SSLSocketFactory.getDefault() work when running the test and not when running within JBoss?
I have been using SSL with JBoss-Jetty and JBoss-Tomcat for ages, and I was able to call SSLServerSocketFactory.getDefault() fine from CmdSTARTTLS both when running as a test and when running within JBoss.
I am wondering if maybe it could be due to me being outside the US? I am not sure though, because then I think the test should have failed too.
Could one of you Amricans try this out and see what results you get? You have to add the following line to the SMTPProtocol mbean in jboss-service.xml of the project to enable TLS:
tls-enabledtrue
Then use telnet and see what happens:
220 badmojo.superlinksoftware.com SMTP Server (JBMAIL SMTP Server version 0.1) ready 26 March 2004 15:31:00 CET
EHLO localhost
250-badmojo.superlinksoftware.com Hello localhost (127.0.0.1 (127.0.0.1))
250-STARTTLS
250 AUTH LOGIN PLAIN
STARTTLS
Cheers,
Kab -
3. Re: TODO: TLS and JBossSX integration
spiritualmechanic Mar 26, 2004 8:50 PM (in response to acoliver)Let me look at it a little. I've dealt with SX a decent bit, since we had to connect to a custom LDAP schema. I'm more familiar with that than TLS, but we'll see.
Steve -
4. Re: TODO: TLS and JBossSX integration
spiritualmechanic Mar 26, 2004 9:25 PM (in response to acoliver)I get this output for both true and false for this line in jboss-service.xml:
requireSTARTTLSfalse
Is that the right property you were referring to? Maybe there's another I missed?
22:07:10,979 DEBUG [CmdSTARTTLS] STARTTLS command handler called
[junit] res was 220 Ready to start TLS
[junit] Tests run: 1, Failures: 0, Errors: 0, Time elapsed: 4.997 sec
[junit] Output:
[junit] configureMBeanServerFactory
[junit] not returning from allready run
[junit] got the server impl
[junit] done setting up properties
[junit] 22:07:08,084 WARN [Server] Caught Throwable Error, this probably means we've already set the URLStreamHAndlerFactory before -
5. Re: TODO: TLS and JBossSX integration
spiritualmechanic Mar 26, 2004 9:28 PM (in response to acoliver)I'm learning about a lot of this mail stuff. I've been in the web developer world too long :)
ftp://ftp.isi.edu/in-notes/rfc2246.txt -
6. Re: TODO: TLS and JBossSX integration
spiritualmechanic Mar 26, 2004 9:43 PM (in response to acoliver)SMTP Service Extension for Secure SMTP over TLS
ftp://ftp.isi.edu/in-notes/rfc2487.txt
This one doesn't seem to be as low-level. Probably more directly relevant. -
7. Re: TODO: TLS and JBossSX integration
kabirkhan Mar 27, 2004 7:51 AM (in response to acoliver)Hi Steve,
My test works as well. My problem is that I am not able to get TLS working in a running server. AFAIK it the socket stuff is all meant to be working, all that is needed is to change the underlying security stuff.
To enable tls, leave requireSTARTTLS as false, and add the tls-enabled attribute (it is not there already), so that your jboss-service.xml entry looks something like:
requireSTARTTLSfalse
requireClientCertfalse
tls-enabledtrue
I then build mail.ear and deploy in a running JBoss.
Now when I try to connect using telnet (see previous example) it pukes out on the SSLSocketFactory.getDefault() line in CmdSTARTTLS. I think I lied a bit yesterday when I said it falls over on SSLSocketFactory.getDefault(), as the stack trace shows it to fall over on SSLSocketFactory.createSocket(). (Maybe it is throwing this error due to the telnet client not being SSL enabled, I need to read up a bit on SSL context :-) )
17:34:05,205 DEBUG [CmdSTARTTLS] STARTTLS command handler called 17:34:05,205 ERROR [STDERR] java.net.SocketException: Default SSL context init f
ailed: null
17:34:05,215 ERROR [STDERR] at javax.net.ssl.DefaultSSLSocketFactory.createSocket(DashoA6275)
17:34:05,215 ERROR [STDERR] at org.jboss.mail.smtp.handlers.CmdSTARTTLS.handleRequest(CmdSTARTTLS.java:52)
17:34:05,215 ERROR [STDERR] at org.jboss.mail.smtp.SMTPProtocolInstance.handleRequest(SMTPProtocolInstance.java:151)
17:34:05,215 ERROR [STDERR] at org.jboss.mail.ServerThread.run(ServerThread.java:221)
17:34:05,215 ERROR [STDERR] at java.lang.Thread.run(Thread.java:534)
17:34:05,215 ERROR [SMTPProtocolInstance] Handle IO Error 17:34:05,215 ERROR [STDERR] java.lang.NullPointerException
17:34:05,215 ERROR [STDERR] at org.jboss.mail.ServerThread.run(ServerThread.java:223)
17:34:05,215 ERROR [STDERR] at java.lang.Thread.run(Thread.java:534)
17:34:05,215 DEBUG [ServerThreadPool] freeing org.jboss.mail.ServerThread@50078e
When I connect using Thunderbird (set up to use TLS if available), I get a bit further but then it falls over when trying to call SSLSocketFactory.createSocket() - a different error this time:
14:28:50,293 ERROR [STDERR] java.net.SocketException: Export restriction: this JSSE implementation is non-pluggable.
14:28:50,293 ERROR [STDERR] at javax.net.ssl.DefaultSSLSocketFactory.createSocket(DashoA6275)
14:28:50,293 ERROR [STDERR] at org.jboss.mail.smtp.handlers.CmdSTARTTLS.handleRequest(CmdSTARTTLS.java:59)
14:28:50,303 ERROR [STDERR] at org.jboss.mail.smtp.SMTPProtocolInstance.handleRequest(SMTPProtocolInstance.java:151)
14:28:50,303 ERROR [STDERR] at org.jboss.mail.ServerThread.run(ServerThread.java:222)
14:28:50,303 ERROR [STDERR] at java.lang.Thread.run(Thread.java:534)
(Note that the line numbers in my stack traces may be slightly of since I have been playing around)
I don't see why it works in one environment and not in the other, since the unit test is connecting via a socket as well?!?
So I think it may have something to do with the fact that I am outside the US and have a JVM running a restricted version of JSSE (Java Secure Sockets Extension) :-(, but then why is the unit test working since it effectively does the same thing?
It would be great to know if anybody with a US JVM is able to run this with TLS enabled using a client. Also, if anybody has any hints about how to get around the JSSE issue?
Thanks,
Kab -
8. Re: TODO: TLS and JBossSX integration
kabirkhan Mar 27, 2004 7:57 AM (in response to acoliver)Hmm, the below does not look like jboss-service.xml to me :-) but basically add the tls-enabled property at the end of the SMTPProtocol MBean config in jboss-service.xml, and set it to true.
-
9. Re: TODO: TLS and JBossSX integration
spiritualmechanic Mar 27, 2004 6:21 PM (in response to acoliver)Can you give a little info on the telnet idea? Are you telnetting into localhost 25 and typing "EHLO" etc, to see what comes out?
I'm on Windows currently, so I'm not sure if I'm doing it wrong or if the telnet client isn't doing it correctly.
Sorry to be such a newbie on this stuff.
Steve -
10. Re: TODO: TLS and JBossSX integration
mk Mar 28, 2004 12:30 PM (in response to acoliver)Hi,
I could verify the first error (where you get "Default SSL context init failed: null"). In my case this was due to the fact that I did not have kestore as specified in jboss-service.xml
(/home/mkrause/testkeys in my case). I saw this error by setting '-Djavax.net.debug="ssl,handshake" ' as a command-line argument to the VM when starting jboss. For some reason the line
'System.setProperty("javax.net.debug", "ssl,handshake");'
in CmdSTARTTLS.java has no effect (why?).
The second thing (Export restriction: this JSSE implementation is non-pluggable.) I could not verify. Even though I also live outside the US (-: What happens if you comment the line
'java.security.Security.addProvider( new com.sun.net.ssl.internal.ssl.Provider());' in the same file?
Michael -
11. Re: TODO: TLS and JBossSX integration
kabirkhan Mar 29, 2004 3:17 AM (in response to acoliver)Steve:
Yep, that's the way. I prefer the Putty SSH client to the crap one built in to windows though. If you haven't changed
MK:
Thanks for looking, I will try it out again.
Cheers,
Kab -
12. Re: TODO: TLS and JBossSX integration
kabirkhan Mar 29, 2004 4:05 AM (in response to acoliver)Cool!
For some reason I assumed that the keystore was part of the ditribution. It seems to work now, apart from it is having problems determining the local address of the server when adding the headers, which I will look into.
Cheers,
Kab -
13. Re: TODO: TLS and JBossSX integration
spiritualmechanic Mar 29, 2004 6:45 AM (in response to acoliver)Okay. Great.
I try hitting localhost 25 (telnet) using Putty and I get connection refused. It doesn't look like my JBoss is actually opening up a port on 25.
I wish I had this stuff on Linux. I may have to move it over.
Steve -
14. Re: TODO: TLS and JBossSX integration
kabirkhan Mar 29, 2004 6:53 AM (in response to acoliver)Try port 9000;-)
The port is configured in the SMTPProtocol MBean in jboss-service.xml. The comment reads:
"defines an SMTP server. Presently we put it on 9000 for testing purposes. We don't want
anyone to actually use this in production until its been completed and hardened."
Cheers,
Kab