1

We have a java email application that connects to a Domino Mail Server. The application works if I test sending emails to Gmail or other mail servers. However when I changed the configuration and connect to Domino Mail server. It always gives the error below.

ERROR MESSAGE 

JavaFX Application Thread, handling exception: javax.net.ssl.SSLHandshakeExcepti 
on: Server chose SSLv3, but that protocol version is not enabled or not supporte 
d by the client

Tried to enabled the SSL debug using the command below to gather the SSL debug logs. Using this link tried to make sense as to what happened during the handshake. It seems that initially the client and server agreed to connect using TLSv1 show on ClientHello, TLSv1. But then server responded with ServerHello, SSLv3 where the error showed afterwards. Can anyone help in analyzing this logs? Might provide some other ideas on how to fix this problem.

java -Djavax.net.debug=all -Dmail.socket.debug=true -Dhttps.protocols=TLSv1.1,TLSv1.2 -jar app.jar

SSL Debug Logs

[DEBUG] 2017-06-08 11:24:08.046 [JavaFX Application Thread] ManEmailService 
 - Load Mail Properties in into Javamail Session 
DEBUG: getProvider() returning javax.mail.Provider[TRANSPORT,smtp,com.sun.mail.s 
mtp.SMTPTransport,Sun Microsystems, Inc] 
DEBUG SMTP: useEhlo true, useAuth true 
DEBUG SMTP: useEhlo true, useAuth true 
DEBUG SMTP: trying to connect to host "164.39.7.92", port 25, isSSL false 
220 mailserver ESMTP Service (Lotus Domino Release 8.5.3FP6) read 
y at Thu, 8 Jun 2017 08:24:09 +0100 
DEBUG SMTP: connected to host "164.39.7.92", port: 25 

EHLO chol130 
250-mailserver Hello chol130 ([10.210.136.21]), pleased to meet y 
ou 
250-TLS 
250-HELP 
250-STARTTLS 
250-DSN 
250-SIZE 52428800 
250 PIPELINING 
DEBUG SMTP: Found extension "TLS", arg "" 
DEBUG SMTP: Found extension "HELP", arg "" 
DEBUG SMTP: Found extension "STARTTLS", arg "" 
DEBUG SMTP: Found extension "DSN", arg "" 
DEBUG SMTP: Found extension "SIZE", arg "52428800" 
DEBUG SMTP: Found extension "PIPELINING", arg "" 
STARTTLS 
220 Ready to start TLS 
Allow unsafe renegotiation: false 
Allow legacy hello messages: true 
Is initial handshake: true 
Is secure renegotiation: false 
EHLO chol130 
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for T 
LSv1 
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLS 
v1 
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1 
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TL 
Sv1 
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv 
1 
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1 

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1 

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_GCM_SHA256 
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 
%% No cached client session 
*** ClientHello, TLSv1 
RandomCookie:  GMT: 1496840856 bytes = { 144, 229, 226, 93, 29, 240, 155, 120, 3 
1, 198, 49, 168, 69, 96, 192, 17, 63, 179, 48, 152, 162, 151, 80, 52, 74, 227, 1 
08, 212 } 
Session ID:  {} 
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128 
_CBC_SHA, **TLS_RSA_WITH_AES_128_CBC_SHA**, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS 
_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WI 
TH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3D 
ES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_ 
SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ 
DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] 
Compression Methods:  { 0 } 
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect28 
3k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1} 
Extension ec_point_formats, formats: [uncompressed] 
Extension server_name, server_name: [type=host_name (0), value=gb.gb.t 
p.com] 
*** 
[write] MD5 and SHA1 hashes:  len = 140 
0000: 01 00 00 88 03 01 59 38   FB 98 90 E5 E2 5D 1D F0  ......Y8.....].. 
0010: 9B 78 1F C6 31 A8 45 60   C0 11 3F B3 30 98 A2 97  .x..1.E`..?.0... 
0020: 50 34 4A E3 6C D4 00 00   1E C0 09 C0 13 00 2F C0  P4J.l........./. 
0030: 04 C0 0E 00 33 00 32 C0   08 C0 12 00 0A C0 03 C0  ....3.2......... 
0040: 0D 00 16 00 13 00 FF 01   00 00 41 00 0A 00 16 00  ..........A..... 
0050: 14 00 17 00 18 00 19 00   09 00 0A 00 0B 00 0C 00  ................ 
0060: 0D 00 0E 00 16 00 0B 00   02 01 00 00 00 00 1D 00  ................ 
0070: 1B 00 00 18 67 62 61 68   65 6C 62 76 33 2E 67 62  ....gb.gb 
0080: 2E 74 6E 74 70 6F 73 74   2E 63 6F 6D              .tp.com 
JavaFX Application Thread, WRITE: TLSv1 Handshake, length = 140 
[Raw write]: length = 145 
0000: 16 03 01 00 8C 01 00 00   88 03 01 59 38 FB 98 90  ...........Y8... 
0010: E5 E2 5D 1D F0 9B 78 1F   C6 31 A8 45 60 C0 11 3F  ..]...x..1.E`..? 
0020: B3 30 98 A2 97 50 34 4A   E3 6C D4 00 00 1E C0 09  .0...P4J.l...... 
0030: C0 13 00 2F C0 04 C0 0E   00 33 00 32 C0 08 C0 12  .../.....3.2.... 
0040: 00 0A C0 03 C0 0D 00 16   00 13 00 FF 01 00 00 41  ...............A 
0050: 00 0A 00 16 00 14 00 17   00 18 00 19 00 09 00 0A  ................ 
0060: 00 0B 00 0C 00 0D 00 0E   00 16 00 0B 00 02 01 00  ................ 
0070: 00 00 00 1D 00 1B 00 00   18 67 62 61 68 65 6C 62  .........gbahelb 
0080: 76 33 2E 67 62 2E 74 6E   74 70 6F 73 74 2E 63 6F  v3.gb.tp.co 
0090: 6D                                                 m 
[Raw read]: length = 5 
0000: 16 03 00 00 3A                                     ....: 
[Raw read]: length = 58 
0000: 02 00 00 36 03 00 59 60   96 A9 99 8D 55 45 0D 78  ...6..Y`....UE.x 
0010: 0F B5 CE 45 42 77 D6 3F   DF 76 BD F5 F3 70 86 DD  ...EBw.?.v...p.. 
0020: 02 E8 E6 B3 7F 3E 10 75   40 52 B5 B0 21 51 62 6B  .....>.u@R..!Qbk 
0030: F4 72 53 FC B0 1B FC 00   2F 00                    .rS...../. 
JavaFX Application Thread, READ: SSLv3 Handshake, length = 58 
*** **ServerHello, SSLv3** 
RandomCookie:  GMT: 1499436457 bytes = { 153, 141, 85, 69, 13, 120, 15, 181, 206 
, 69, 66, 119, 214, 63, 223, 118, 189, 245, 243, 112, 134, 221, 2, 232, 230, 179 
, 127, 62 } 
Session ID:  {117, 64, 82, 181, 176, 33, 81, 98, 107, 244, 114, 83, 252, 176, 27 
, 252} 
***Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA*** 
Compression Method: 0 
*** 
JavaFX Application Thread, handling exception: javax.net.ssl.SSLHandshakeExcepti 
on: Server chose SSLv3, but that protocol version is not enabled or not supporte 
d by the client. 
JavaFX Application Thread, SEND TLSv1.2 ALERT:  fatal, description = handshake_f 
ailure 
JavaFX Application Thread, WRITE: TLSv1.2 Alert, length = 2 
[Raw write]: length = 7 
0000: 15 03 03 00 02 02 28                               ......( 
JavaFX Application Thread, called closeSocket() 
[ERROR] 2017-06-08 11:24:08.748 [JavaFX Application Thread] ManEmailService 
 - Mail Message crap!!!javax.mail.MessagingException: Can't send command to SMTP 
 host; 
  nested exception is: 
        javax.net.ssl.SSLHandshakeException: Server chose SSLv3, but that protoc 
ol version is not enabled or not supported by the client.

Javamail Properties file

#Set Mail Sender 
sender.mail.from=sample@xwy.com 
sender.mail.username= 
sender.mail.password= 
sender.mail.subject=subject 

#Set Mail Sender Properties 
mail.smtp.port=25 
mail.smtp.host=<IP_ADDRESS>
#mail.smtp.ssl.trust=<IP_ADDRESS> 
mail.transport.protocol=smtp 
mail.smtp.auth=true 
mail.smtp.starttls.enable=true 
mail.smtp.timeout=5000 
#mail.smtp.ssl.enable=true 
mail.debug=true
dimas
  • 2,487
  • 6
  • 40
  • 66

1 Answers1

0

It seems that the server only supports the old and unsecure SSLv3 protocol. If you still want to use this server (for instance because of being in a secure and sealed internal network) you need to either activate protocols >SSLv3 (like TLSv1 or TLSv1.1 etc) on the server side or tell your client to support SSLv3 as well.

On your java email application, try to set following system properties as arguments (as part of the java .. arguments):

-Dhttps.protocols=SSLv3,TLSv1,TLSv1.2

If this does not help, most probably the SSL protocol is hardcoded in the source code.

For other options to set protocols on source code level, have a look here: how to use TLSV1 or SSLV3 for first handshake(Client Hello) in Java?

//Update

What about this one in the property file: mail.smtps.ssl.protocols=SSLv3,TLSv1,TLSv1.1,TLSv1.2

Source: https://discretemkt.wordpress.com/2014/11/15/javamail-enables-or-disables-sslv3/

Aydin K.
  • 3,309
  • 36
  • 44
  • I enabled it as you said but i still get the same error. Also tried to remove SSKv3 from java.security jdk.tls.disabledAlgorithms – dimas Jun 08 '17 at 09:28
  • I added the properties file i used in java application it might help... somehow. – dimas Jun 08 '17 at 09:49
  • It looks like you're using the "smtp" protocol so the property should be named `mail.smtp.ssl.protocols`. Also, the vlaues need to be whitespace separated - `mail.smtp.ssl.protocols=SSLv3 TLSv1 TLSv1.1 TLSv1.2`. Depending on where and how you're setting the property, the value may need to be quoted. – Bill Shannon Jun 08 '17 at 17:54