[jira] [Commented] (GERONIMO-6793) Do not auto-enable all available Cyphers in TLS/SSL protocol handling in MailConnection
[ https://issues.apache.org/jira/browse/GERONIMO-6793?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17354607#comment-17354607 ] Romain Manni-Bucau commented on GERONIMO-6793: -- [~rzo1] works for me, a bit better solution would be to take time to review used ciphers by providers but it requires some testing time we maybe don't have so let's go with it for now. > Do not auto-enable all available Cyphers in TLS/SSL protocol handling in > MailConnection > --- > > Key: GERONIMO-6793 > URL: https://issues.apache.org/jira/browse/GERONIMO-6793 > Project: Geronimo > Issue Type: Improvement > Security Level: public(Regular issues) > Components: mail >Reporter: Richard Zowalla >Priority: Major > > Check and discuss, if it is a good idea to enable all cyphers in TLS/SSL > protocol handling in MailConnection.java > Some cyphers are deprecated for good reasons and shouldn't be used. > This enhancement might possibily include > * Allow users to specifiy cyphers via properties (custom factory is already > possible) > * If we have no user defined cyphers available, fallback to the JVMs default > cyphers. > > This is a follow up issue raised from the discussion on the dev mailing list, > see > http://mail-archives.apache.org/mod_mbox/geronimo-dev/202012.mbox/%3C096fbb867eda8e090eddf80fbd81cf787ac87945.camel%40hs-heilbronn.de%3E -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Comment Edited] (GERONIMO-6793) Do not auto-enable all available Cyphers in TLS/SSL protocol handling in MailConnection
[ https://issues.apache.org/jira/browse/GERONIMO-6793?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17354492#comment-17354492 ] Richard Zowalla edited comment on GERONIMO-6793 at 5/31/21, 4:54 PM: - What about: # Use the JVM _enabled_ cyphers by default to be consistent with GERONIMO-6792 # Allow to override the default via _mail.protocol.xx.mail.ciphersuites_ # Provide appropriate logging (show which ciphers are used) # Update the README.txt to document the new behaviour and give some hints on how to determine the list of supported ciphers of a mail server [~romain.manni-bucau] what do you mean by aliases exactly? was (Author: rzo1): What about: # Use the JVM _enabled_ cyphers by default to be consistent with GERONIMO-6792 # Allow to override the default via _mail.protocol.smtp.mail.ciphersuites_ # Provide appropriate logging (show which ciphers are used) # Update the README.txt to document the new behaviour and give some hints on how to determine the list of supported ciphers of a mail server [~romain.manni-bucau] what do you mean by aliases exactly? > Do not auto-enable all available Cyphers in TLS/SSL protocol handling in > MailConnection > --- > > Key: GERONIMO-6793 > URL: https://issues.apache.org/jira/browse/GERONIMO-6793 > Project: Geronimo > Issue Type: Improvement > Security Level: public(Regular issues) > Components: mail >Reporter: Richard Zowalla >Priority: Major > > Check and discuss, if it is a good idea to enable all cyphers in TLS/SSL > protocol handling in MailConnection.java > Some cyphers are deprecated for good reasons and shouldn't be used. > This enhancement might possibily include > * Allow users to specifiy cyphers via properties (custom factory is already > possible) > * If we have no user defined cyphers available, fallback to the JVMs default > cyphers. > > This is a follow up issue raised from the discussion on the dev mailing list, > see > http://mail-archives.apache.org/mod_mbox/geronimo-dev/202012.mbox/%3C096fbb867eda8e090eddf80fbd81cf787ac87945.camel%40hs-heilbronn.de%3E -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Comment Edited] (GERONIMO-6793) Do not auto-enable all available Cyphers in TLS/SSL protocol handling in MailConnection
[ https://issues.apache.org/jira/browse/GERONIMO-6793?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17354555#comment-17354555 ] Richard Zowalla edited comment on GERONIMO-6793 at 5/31/21, 4:54 PM: - I agree, that tuning ciphers is a very special case and requires a lot of (background) knowledge to find a concise and working solution / list of ciphers. Even, if you are managing self-hosted mail infrastructure, every small cipher change can break multiple clients (we experienced it in the past ...). So the non-breaking way would probably be # Allow to override the default via _mail.protocol.xx.mail.ciphersuites_ (and leave the current default as is) # Provide appropriate logging (show which ciphers are used) - maybe also give a hint, that all supported ciphers are used, if the property is not set # Update the README.txt to document the new behaviour and give some hints on how to determine the list of supported ciphers of a mail server Personally, I can live with both ways as long as I can specify the ciphers easily ... ;) was (Author: rzo1): I agree, that tuning ciphers is a very special case and requires a lot of (background) knowledge to find a concise and working solution / list of ciphers. Even, if you are managing self-hosted mail infrastructure, every small cipher change can break multiple clients (we experienced it in the past ...). So the non-breaking way would probably be # Allow to override the default via _mail.protocol.smtp.mail.ciphersuites_ (and leave the current default as is) # Provide appropriate logging (show which ciphers are used) - maybe also give a hint, that all supported ciphers are used, if the property is not set # Update the README.txt to document the new behaviour and give some hints on how to determine the list of supported ciphers of a mail server Personally, I can live with both ways as long as I can specify the ciphers easily ... ;) > Do not auto-enable all available Cyphers in TLS/SSL protocol handling in > MailConnection > --- > > Key: GERONIMO-6793 > URL: https://issues.apache.org/jira/browse/GERONIMO-6793 > Project: Geronimo > Issue Type: Improvement > Security Level: public(Regular issues) > Components: mail >Reporter: Richard Zowalla >Priority: Major > > Check and discuss, if it is a good idea to enable all cyphers in TLS/SSL > protocol handling in MailConnection.java > Some cyphers are deprecated for good reasons and shouldn't be used. > This enhancement might possibily include > * Allow users to specifiy cyphers via properties (custom factory is already > possible) > * If we have no user defined cyphers available, fallback to the JVMs default > cyphers. > > This is a follow up issue raised from the discussion on the dev mailing list, > see > http://mail-archives.apache.org/mod_mbox/geronimo-dev/202012.mbox/%3C096fbb867eda8e090eddf80fbd81cf787ac87945.camel%40hs-heilbronn.de%3E -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (GERONIMO-6793) Do not auto-enable all available Cyphers in TLS/SSL protocol handling in MailConnection
[ https://issues.apache.org/jira/browse/GERONIMO-6793?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17354555#comment-17354555 ] Richard Zowalla commented on GERONIMO-6793: --- I agree, that tuning ciphers is a very special case and requires a lot of (background) knowledge to find a concise and working solution / list of ciphers. Even, if you are managing self-hosted mail infrastructure, every small cipher change can break multiple clients (we experienced it in the past ...). So the non-breaking way would probably be # Allow to override the default via _mail.protocol.smtp.mail.ciphersuites_ (and leave the current default as is) # Provide appropriate logging (show which ciphers are used) - maybe also give a hint, that all supported ciphers are used, if the property is not set # Update the README.txt to document the new behaviour and give some hints on how to determine the list of supported ciphers of a mail server Personally, I can live with both ways as long as I can specify the ciphers easily ... ;) > Do not auto-enable all available Cyphers in TLS/SSL protocol handling in > MailConnection > --- > > Key: GERONIMO-6793 > URL: https://issues.apache.org/jira/browse/GERONIMO-6793 > Project: Geronimo > Issue Type: Improvement > Security Level: public(Regular issues) > Components: mail >Reporter: Richard Zowalla >Priority: Major > > Check and discuss, if it is a good idea to enable all cyphers in TLS/SSL > protocol handling in MailConnection.java > Some cyphers are deprecated for good reasons and shouldn't be used. > This enhancement might possibily include > * Allow users to specifiy cyphers via properties (custom factory is already > possible) > * If we have no user defined cyphers available, fallback to the JVMs default > cyphers. > > This is a follow up issue raised from the discussion on the dev mailing list, > see > http://mail-archives.apache.org/mod_mbox/geronimo-dev/202012.mbox/%3C096fbb867eda8e090eddf80fbd81cf787ac87945.camel%40hs-heilbronn.de%3E -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (GERONIMO-6793) Do not auto-enable all available Cyphers in TLS/SSL protocol handling in MailConnection
[ https://issues.apache.org/jira/browse/GERONIMO-6793?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17354553#comment-17354553 ] Romain Manni-Bucau commented on GERONIMO-6793: -- I'm still hesitant - not to say rather not for - to 1. #6792 is different since most of the time this one will work but ciphers are often very finely tuned and can break more easily (on the apps I did review it will break in ~15%of the cases unintentionally which is high enough to be bothersome for such a small change whereas having a good default breaks in 0 case and works in 100% of cases). Agree on 2 (while smtp is not hardcoded and it depends the protocol used ;)). > Do not auto-enable all available Cyphers in TLS/SSL protocol handling in > MailConnection > --- > > Key: GERONIMO-6793 > URL: https://issues.apache.org/jira/browse/GERONIMO-6793 > Project: Geronimo > Issue Type: Improvement > Security Level: public(Regular issues) > Components: mail >Reporter: Richard Zowalla >Priority: Major > > Check and discuss, if it is a good idea to enable all cyphers in TLS/SSL > protocol handling in MailConnection.java > Some cyphers are deprecated for good reasons and shouldn't be used. > This enhancement might possibily include > * Allow users to specifiy cyphers via properties (custom factory is already > possible) > * If we have no user defined cyphers available, fallback to the JVMs default > cyphers. > > This is a follow up issue raised from the discussion on the dev mailing list, > see > http://mail-archives.apache.org/mod_mbox/geronimo-dev/202012.mbox/%3C096fbb867eda8e090eddf80fbd81cf787ac87945.camel%40hs-heilbronn.de%3E -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (GERONIMO-6793) Do not auto-enable all available Cyphers in TLS/SSL protocol handling in MailConnection
[ https://issues.apache.org/jira/browse/GERONIMO-6793?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17354492#comment-17354492 ] Richard Zowalla commented on GERONIMO-6793: --- What about: # Use the JVM _enabled_ cyphers by default to be consistent with GERONIMO-6792 # Allow to override the default via _mail.protocol.smtp.mail.ciphersuites_ # Provide appropriate logging (show which ciphers are used) # Update the README.txt to document the new behaviour and give some hints on how to determine the list of supported ciphers of a mail server [~romain.manni-bucau] what do you mean by aliases exactly? > Do not auto-enable all available Cyphers in TLS/SSL protocol handling in > MailConnection > --- > > Key: GERONIMO-6793 > URL: https://issues.apache.org/jira/browse/GERONIMO-6793 > Project: Geronimo > Issue Type: Improvement > Security Level: public(Regular issues) > Components: mail >Reporter: Richard Zowalla >Priority: Major > > Check and discuss, if it is a good idea to enable all cyphers in TLS/SSL > protocol handling in MailConnection.java > Some cyphers are deprecated for good reasons and shouldn't be used. > This enhancement might possibily include > * Allow users to specifiy cyphers via properties (custom factory is already > possible) > * If we have no user defined cyphers available, fallback to the JVMs default > cyphers. > > This is a follow up issue raised from the discussion on the dev mailing list, > see > http://mail-archives.apache.org/mod_mbox/geronimo-dev/202012.mbox/%3C096fbb867eda8e090eddf80fbd81cf787ac87945.camel%40hs-heilbronn.de%3E -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (GERONIMO-6792) Fix hard-coded TLSv1 version in MailConnection.java for Java Mail 1.6
[ https://issues.apache.org/jira/browse/GERONIMO-6792?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17354488#comment-17354488 ] Richard Zowalla commented on GERONIMO-6792: --- I just updated the README.txt of *GERONIMO-6792-v4-no-hardcoding.diff* which I forgot to update at the time providing this patch. It now correctly states the fallback to JVM defaults. > Fix hard-coded TLSv1 version in MailConnection.java for Java Mail 1.6 > - > > Key: GERONIMO-6792 > URL: https://issues.apache.org/jira/browse/GERONIMO-6792 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: mail >Reporter: Richard Zowalla >Priority: Major > Attachments: GERONIMO-6792-v4-no-hardcoding.diff, > GERONIMO-6792-v4.diff > > > Hi, > I encountered some issues when using Geronimo Java Mail 1.6 (1.0.0) bundled > with TomEE 8.0.5. The related thread [1] can be found on the > [us...@tomee.apache.org|mailto:us...@tomee.apache.org] Mailing-List. > In short: > * Our mail server does only support TLS 1.2 or TLS 1.3 > * Geronimo Java Mail 1.6 in version 1.0.0 has TLS 1.0 hard-coded in the > source and does not use the default protocols or the specified ones via > *mail.smtp.ssl.protocols* for a TLS connection. > I have attached a patch created via SVN DIFF. > [1] [https://www.mail-archive.com/users@tomee.apache.org/msg17544.html] -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (GERONIMO-6792) Fix hard-coded TLSv1 version in MailConnection.java for Java Mail 1.6
[ https://issues.apache.org/jira/browse/GERONIMO-6792?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Richard Zowalla updated GERONIMO-6792: -- Attachment: GERONIMO-6792-v4-no-hardcoding.diff > Fix hard-coded TLSv1 version in MailConnection.java for Java Mail 1.6 > - > > Key: GERONIMO-6792 > URL: https://issues.apache.org/jira/browse/GERONIMO-6792 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: mail >Reporter: Richard Zowalla >Priority: Major > Attachments: GERONIMO-6792-v4-no-hardcoding.diff, > GERONIMO-6792-v4.diff > > > Hi, > I encountered some issues when using Geronimo Java Mail 1.6 (1.0.0) bundled > with TomEE 8.0.5. The related thread [1] can be found on the > [us...@tomee.apache.org|mailto:us...@tomee.apache.org] Mailing-List. > In short: > * Our mail server does only support TLS 1.2 or TLS 1.3 > * Geronimo Java Mail 1.6 in version 1.0.0 has TLS 1.0 hard-coded in the > source and does not use the default protocols or the specified ones via > *mail.smtp.ssl.protocols* for a TLS connection. > I have attached a patch created via SVN DIFF. > [1] [https://www.mail-archive.com/users@tomee.apache.org/msg17544.html] -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (GERONIMO-6792) Fix hard-coded TLSv1 version in MailConnection.java for Java Mail 1.6
[ https://issues.apache.org/jira/browse/GERONIMO-6792?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Richard Zowalla updated GERONIMO-6792: -- Attachment: (was: GERONIMO-6792-v4-no-hardcoding.diff) > Fix hard-coded TLSv1 version in MailConnection.java for Java Mail 1.6 > - > > Key: GERONIMO-6792 > URL: https://issues.apache.org/jira/browse/GERONIMO-6792 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: mail >Reporter: Richard Zowalla >Priority: Major > Attachments: GERONIMO-6792-v4-no-hardcoding.diff, > GERONIMO-6792-v4.diff > > > Hi, > I encountered some issues when using Geronimo Java Mail 1.6 (1.0.0) bundled > with TomEE 8.0.5. The related thread [1] can be found on the > [us...@tomee.apache.org|mailto:us...@tomee.apache.org] Mailing-List. > In short: > * Our mail server does only support TLS 1.2 or TLS 1.3 > * Geronimo Java Mail 1.6 in version 1.0.0 has TLS 1.0 hard-coded in the > source and does not use the default protocols or the specified ones via > *mail.smtp.ssl.protocols* for a TLS connection. > I have attached a patch created via SVN DIFF. > [1] [https://www.mail-archive.com/users@tomee.apache.org/msg17544.html] -- This message was sent by Atlassian Jira (v8.3.4#803005)