[jira] [Commented] (GERONIMO-6792) Fix hard-coded TLSv1 version in MailConnection.java for Java Mail 1.6

Thu, 27 May 2021 05:42:06 -0700 


    [ 
https://issues.apache.org/jira/browse/GERONIMO-6792?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17352445#comment-17352445
 ] 

Fredrik Jonson commented on GERONIMO-6792:
------------------------------------------

After RFC 8996 - Deprecating TLS 1.0 and TLS 1.1 - was published in march 2021, 
I have noticed that some mail providers indeed now disallow TSLv1.0. This 
obviously makes the current release of geronimo-javamail fail delivery to such 
RFC-compliant servers. 

I have locally built and manually tested the patch 
GERONIMO-6792-v4-no-hardcoding.diff. I can confirm that it by default selects 
the default TLS protocols of the JVM, which is a great default behaviour btw. I 
have also tested using the mail.smtp.ssl.protocols flag, with various protocol 
versions, and it appears to also work as intended.

Is there anything else a non-committer can do to help nudge this into a proper 
(1.0.1?) release sometime soon?

PS. A big _Thank you_ to Richard W for finding the bug, and proposing a patch!

> Fix hard-coded TLSv1 version in MailConnection.java for Java Mail 1.6
> ---------------------------------------------------------------------
>
>                 Key: GERONIMO-6792
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-6792
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: mail
>            Reporter: Richard Zowalla
>            Priority: Major
>         Attachments: GERONIMO-6792-v4-no-hardcoding.diff, 
> GERONIMO-6792-v4.diff
>
>
> Hi,
> I encountered some issues when using Geronimo Java Mail 1.6 (1.0.0) bundled 
> with TomEE 8.0.5. The related thread [1] can be found on the 
> [[email protected]|mailto:[email protected]] Mailing-List.
> In short: 
>  * Our mail server does only support TLS 1.2 or TLS 1.3
>  * Geronimo Java Mail 1.6 in version 1.0.0 has TLS 1.0 hard-coded in the 
> source and does not use the default protocols or the specified ones via 
> *mail.smtp.ssl.protocols* for a TLS connection.
> I have attached a patch created via SVN DIFF. 
> [1] [https://www.mail-archive.com/[email protected]/msg17544.html]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to