1 2 Previous Next 28 Replies Latest reply on Apr 2, 2004 4:23 AM by kabirkhan

    TODO: TLS and JBossSX integration

    acoliver

      Presently the TLS stuff actually takes a hardcoded path for the keystore (worse the example seems to have a windows non-relative path). Most stuff in JBoss declares a security domain and associates the keystore there. This would be a good small project for someone and would help familiarize you with JBossSX and TLS.

        • 1. Re: TODO: TLS and JBossSX integration
          kabirkhan

          Hi,

          Has anybody been able to use the TLS stuff? I get the following error, and am not sure what could be going on! If you have any pointers they would be most appreciated. I want to get it working as is, before attempting JBossSX integration.

          Cheers,

          Kab

          17:34:05,205 DEBUG [CmdSTARTTLS] STARTTLS command handler called 17:34:05,205 ERROR [STDERR] java.net.SocketException: Default SSL context init f
          ailed: null
          17:34:05,215 ERROR [STDERR] at javax.net.ssl.DefaultSSLSocketFactory.createS
          ocket(DashoA6275)
          17:34:05,215 ERROR [STDERR] at org.jboss.mail.smtp.handlers.CmdSTARTTLS.hand
          leRequest(CmdSTARTTLS.java:52)
          17:34:05,215 ERROR [STDERR] at org.jboss.mail.smtp.SMTPProtocolInstance.hand
          leRequest(SMTPProtocolInstance.java:151)
          17:34:05,215 ERROR [STDERR] at org.jboss.mail.ServerThread.run(ServerThread.
          java:221)
          17:34:05,215 ERROR [STDERR] at java.lang.Thread.run(Thread.java:534)
          17:34:05,215 ERROR [SMTPProtocolInstance] Handle IO Error 17:34:05,215 ERROR [STDERR] java.lang.NullPointerException
          17:34:05,215 ERROR [STDERR] at org.jboss.mail.ServerThread.run(ServerThread.
          java:223)
          17:34:05,215 ERROR [STDERR] at java.lang.Thread.run(Thread.java:534)
          17:34:05,215 DEBUG [ServerThreadPool] freeing org.jboss.mail.ServerThread@50078e

          • 2. Re: TODO: TLS and JBossSX integration
            kabirkhan

            A few observations, please help me make sense of them if you can. I have not made any changes to the security settings of my jdk 1.4.2 that should affect this.

            When running the TestCmdSTARTTLS unit test it seems to work, and with a bit of logging in place the new socket actually gets created. Why does the call to SSLSocketFactory.getDefault() work when running the test and not when running within JBoss?

            I have been using SSL with JBoss-Jetty and JBoss-Tomcat for ages, and I was able to call SSLServerSocketFactory.getDefault() fine from CmdSTARTTLS both when running as a test and when running within JBoss.

            I am wondering if maybe it could be due to me being outside the US? I am not sure though, because then I think the test should have failed too.
            Could one of you Amricans try this out and see what results you get? You have to add the following line to the SMTPProtocol mbean in jboss-service.xml of the project to enable TLS:

            tls-enabledtrue

            Then use telnet and see what happens:

            220 badmojo.superlinksoftware.com SMTP Server (JBMAIL SMTP Server version 0.1) ready 26 March 2004 15:31:00 CET
            EHLO localhost
            250-badmojo.superlinksoftware.com Hello localhost (127.0.0.1 (127.0.0.1))
            250-STARTTLS
            250 AUTH LOGIN PLAIN
            STARTTLS

            Cheers,

            Kab

            • 3. Re: TODO: TLS and JBossSX integration

              Let me look at it a little. I've dealt with SX a decent bit, since we had to connect to a custom LDAP schema. I'm more familiar with that than TLS, but we'll see.

              Steve

              • 4. Re: TODO: TLS and JBossSX integration

                I get this output for both true and false for this line in jboss-service.xml:

                requireSTARTTLSfalse

                Is that the right property you were referring to? Maybe there's another I missed?


                22:07:10,979 DEBUG [CmdSTARTTLS] STARTTLS command handler called
                [junit] res was 220 Ready to start TLS
                [junit] Tests run: 1, Failures: 0, Errors: 0, Time elapsed: 4.997 sec
                [junit] Output:
                [junit] configureMBeanServerFactory
                [junit] not returning from allready run
                [junit] got the server impl
                [junit] done setting up properties
                [junit] 22:07:08,084 WARN [Server] Caught Throwable Error, this probably means we've already set the URLStreamHAndlerFactory before

                • 5. Re: TODO: TLS and JBossSX integration

                  I'm learning about a lot of this mail stuff. I've been in the web developer world too long :)

                  ftp://ftp.isi.edu/in-notes/rfc2246.txt

                  • 6. Re: TODO: TLS and JBossSX integration

                    SMTP Service Extension for Secure SMTP over TLS

                    ftp://ftp.isi.edu/in-notes/rfc2487.txt

                    This one doesn't seem to be as low-level. Probably more directly relevant.

                    • 7. Re: TODO: TLS and JBossSX integration
                      kabirkhan

                      Hi Steve,

                      My test works as well. My problem is that I am not able to get TLS working in a running server. AFAIK it the socket stuff is all meant to be working, all that is needed is to change the underlying security stuff.

                      To enable tls, leave requireSTARTTLS as false, and add the tls-enabled attribute (it is not there already), so that your jboss-service.xml entry looks something like:


                      requireSTARTTLSfalse
                      requireClientCertfalse
                      tls-enabledtrue




                      I then build mail.ear and deploy in a running JBoss.


                      Now when I try to connect using telnet (see previous example) it pukes out on the SSLSocketFactory.getDefault() line in CmdSTARTTLS. I think I lied a bit yesterday when I said it falls over on SSLSocketFactory.getDefault(), as the stack trace shows it to fall over on SSLSocketFactory.createSocket(). (Maybe it is throwing this error due to the telnet client not being SSL enabled, I need to read up a bit on SSL context :-) )

                      17:34:05,205 DEBUG [CmdSTARTTLS] STARTTLS command handler called 17:34:05,205 ERROR [STDERR] java.net.SocketException: Default SSL context init f
                      ailed: null
                      17:34:05,215 ERROR [STDERR] at javax.net.ssl.DefaultSSLSocketFactory.createSocket(DashoA6275)
                      17:34:05,215 ERROR [STDERR] at org.jboss.mail.smtp.handlers.CmdSTARTTLS.handleRequest(CmdSTARTTLS.java:52)
                      17:34:05,215 ERROR [STDERR] at org.jboss.mail.smtp.SMTPProtocolInstance.handleRequest(SMTPProtocolInstance.java:151)
                      17:34:05,215 ERROR [STDERR] at org.jboss.mail.ServerThread.run(ServerThread.java:221)
                      17:34:05,215 ERROR [STDERR] at java.lang.Thread.run(Thread.java:534)
                      17:34:05,215 ERROR [SMTPProtocolInstance] Handle IO Error 17:34:05,215 ERROR [STDERR] java.lang.NullPointerException
                      17:34:05,215 ERROR [STDERR] at org.jboss.mail.ServerThread.run(ServerThread.java:223)
                      17:34:05,215 ERROR [STDERR] at java.lang.Thread.run(Thread.java:534)
                      17:34:05,215 DEBUG [ServerThreadPool] freeing org.jboss.mail.ServerThread@50078e


                      When I connect using Thunderbird (set up to use TLS if available), I get a bit further but then it falls over when trying to call SSLSocketFactory.createSocket() - a different error this time:

                      14:28:50,293 ERROR [STDERR] java.net.SocketException: Export restriction: this JSSE implementation is non-pluggable.
                      14:28:50,293 ERROR [STDERR] at javax.net.ssl.DefaultSSLSocketFactory.createSocket(DashoA6275)
                      14:28:50,293 ERROR [STDERR] at org.jboss.mail.smtp.handlers.CmdSTARTTLS.handleRequest(CmdSTARTTLS.java:59)
                      14:28:50,303 ERROR [STDERR] at org.jboss.mail.smtp.SMTPProtocolInstance.handleRequest(SMTPProtocolInstance.java:151)
                      14:28:50,303 ERROR [STDERR] at org.jboss.mail.ServerThread.run(ServerThread.java:222)
                      14:28:50,303 ERROR [STDERR] at java.lang.Thread.run(Thread.java:534)

                      (Note that the line numbers in my stack traces may be slightly of since I have been playing around)

                      I don't see why it works in one environment and not in the other, since the unit test is connecting via a socket as well?!?

                      So I think it may have something to do with the fact that I am outside the US and have a JVM running a restricted version of JSSE (Java Secure Sockets Extension) :-(, but then why is the unit test working since it effectively does the same thing?

                      It would be great to know if anybody with a US JVM is able to run this with TLS enabled using a client. Also, if anybody has any hints about how to get around the JSSE issue?

                      Thanks,

                      Kab

                      • 8. Re: TODO: TLS and JBossSX integration
                        kabirkhan

                        Hmm, the below does not look like jboss-service.xml to me :-) but basically add the tls-enabled property at the end of the SMTPProtocol MBean config in jboss-service.xml, and set it to true.

                        • 9. Re: TODO: TLS and JBossSX integration

                          Can you give a little info on the telnet idea? Are you telnetting into localhost 25 and typing "EHLO" etc, to see what comes out?

                          I'm on Windows currently, so I'm not sure if I'm doing it wrong or if the telnet client isn't doing it correctly.

                          Sorry to be such a newbie on this stuff.

                          Steve

                          • 10. Re: TODO: TLS and JBossSX integration
                            mk

                            Hi,

                            I could verify the first error (where you get "Default SSL context init failed: null"). In my case this was due to the fact that I did not have kestore as specified in jboss-service.xml
                            (/home/mkrause/testkeys in my case). I saw this error by setting '-Djavax.net.debug="ssl,handshake" ' as a command-line argument to the VM when starting jboss. For some reason the line
                            'System.setProperty("javax.net.debug", "ssl,handshake");'
                            in CmdSTARTTLS.java has no effect (why?).

                            The second thing (Export restriction: this JSSE implementation is non-pluggable.) I could not verify. Even though I also live outside the US (-: What happens if you comment the line
                            'java.security.Security.addProvider( new com.sun.net.ssl.internal.ssl.Provider());' in the same file?

                            Michael

                            • 11. Re: TODO: TLS and JBossSX integration
                              kabirkhan

                              Steve:
                              Yep, that's the way. I prefer the Putty SSH client to the crap one built in to windows though. If you haven't changed

                              MK:
                              Thanks for looking, I will try it out again.

                              Cheers,

                              Kab

                              • 12. Re: TODO: TLS and JBossSX integration
                                kabirkhan

                                Cool!

                                For some reason I assumed that the keystore was part of the ditribution. It seems to work now, apart from it is having problems determining the local address of the server when adding the headers, which I will look into.

                                Cheers,

                                Kab

                                • 13. Re: TODO: TLS and JBossSX integration

                                  Okay. Great.

                                  I try hitting localhost 25 (telnet) using Putty and I get connection refused. It doesn't look like my JBoss is actually opening up a port on 25.

                                  I wish I had this stuff on Linux. I may have to move it over.

                                  Steve

                                  • 14. Re: TODO: TLS and JBossSX integration
                                    kabirkhan

                                    Try port 9000;-)

                                    The port is configured in the SMTPProtocol MBean in jboss-service.xml. The comment reads:

                                    "defines an SMTP server. Presently we put it on 9000 for testing purposes. We don't want
                                    anyone to actually use this in production until its been completed and hardened."

                                    Cheers,

                                    Kab

                                    1 2 Previous Next